Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: correlation between porscans and local activity

Re: correlation between porscans and local activity

From: Bob Johnson <johnson.bob_at_KOLUMBUS.FI>
Date: Tue, 4 Jan 2000 00:14:30 +0200

ref the original message, ppl scanning port 1080 are looking for
wingates/socks proxies so it is 99% sure this is what it was - whether it
was an irc server checking u or someone hunting for a proxy to use is not
possible to tell without more info (like ip, etc.).

port 31337 is also a common trojan port (don't have to be BO - could be any
of them that allow configurable ports. also note: 31337 is also what
hackers (and hacker wannabe's) use for "elite" (eleet) and therefore a
popular number to use, mostly among the wannabe's, but then i guess most of
u know this already...

enjoy ur surfing and keep an eye on yer netstats, ppl.

-----Original Message-----
From: R a v e N <barakirs_at_netvision.net.il>
To: INCIDENTS_at_SECURITYFOCUS.COM <INCIDENTS_at_SECURITYFOCUS.COM>
Date: 03 January 2000 23:58
Subject: Re: correlation between porscans and local activity

>Both ports are Windows remote administration trojan ports, I think.
>Could either be a script kiddie scanning everyone on his contact list
>that goes online (maybe with some ICQ plugins. I've seen some
>"click-and-winnuke" ICQ plugins once, so I guess there are RAT ports
>scanners for ICQ as well. Next thing there's gonna be an integrated
>message spoofer and other such features like in LIcq). It could also be
>another script kiddie scanning whole subnets for RAT ports.
>If not (I'm completely sure that the second is a RAT port, but I don't
>know about the first), it could just be an IRC server scanning someone
>from your family for a wingate or SOCKS firewall on their box that can
>be used for bouncing (most IRC servers do this whenever someone
>initiates an IRC session with them in order to fight wingaters and
>suchlikes).
>
>Try downloading blacksun.box.sk/nemesis-latest.zip. It scans for RAT
>ports on your local machine and on your friends' machines or on your own
>network and searches for RATs. It is possible that the "attacker(s)"
>is/are misusing it or a similar program...
>
>--
>If a packet hits a pocket on a socket on a port
>And the bus is interrupted as a very last resort
>And the address of the memory makes the data link abort
>Then the socket packet pocket has an error to report.
>
>http://blacksun.box.sk
>
>Thomas Molina wrote:
>>
>> This weekend I've started noticing a possible loose correlation between
>> portscans on my Linux boxes and local activity. It is connected to the
>> internet through a cable modem. It also provides masqueraded internet
>> connectivity for a couple of Win 98 boxes. The Windows boxes mainly are
>> used by the family for web browsing, icq, and aol instant messaging.
>>
>> There now appears to be some coincidence between the times my family
>> does web browsing and when I get scanned for port 1080. I also got some
>> scans for port 31337 (back orifice?) following an icq session by my son.
>>
>> Is this just a wild guess on my part or am I just now noticing something
>> blindingly obvious to everyone else?
>>
>> Time to learn more about NAT and iptables so I can confirm this wild
>> theory.
>
Received on Jan 04 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos