Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Firewall hits/unknown ports

Re: Firewall hits/unknown ports

From: Nick FitzGerald <nick_at_virus-l.demon.co.uk>
Date: Thu, 8 Nov 2001 07:45:08 +1200

<bonk_at_webchat.chatsystems.com> wrote:

> Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
> Snort.org doesn't list these.

This style of reply is seldom accepted for posting, but it should be
remembered that only knowing the attempted port is a **very, very
poor** diagnostic. Most of the modern RATs, bots, etc and
nearly all of the widely used ones, allow the ports they run on to be
configured. Thus, only knowing "port X was scanned" and "port X is
the default port for <some RAT>" does not tell you much. Further,
few of the IDSes, etc do traffic analysis to better detect which RAT,
bot, etc may be involved *and* of those that do, few do so for more
than a tiny fraction of the RATs. 

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Nov 08 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos