Preston,
> I've seen quite a bit of traffic on ports tcp/12345
> and tcp/27374.
> According to what I've seen, 27374 is a port used by
> quite a few versions of SubSeven,
A couple of things...first, port 27374 is the default
port for both SubSeven, as well as the Ramen worm
(Linux). Therefore, a SYN packet destined for that
port is, in and of itself, inconclusive.
Second, I'm sure you're aware that default ports are
just that, and in many cases, configurable.
> as for 12345, it's not mentioned that subseven
> runs on that port (that I've seen)
It's NetBus's default port (1.7x and previous
versions).
> but I am seeing attempted
> connections to these ports at the same time (maybe
> some other vuln
> attempt I'm not aware of? anyone?). Hope that
> helps.
Given that these SYN packets are dropped by the f/w
(in most cases), they simply seem to be scans at this
point. As far as vulnerabilities are concerned, they
may or may not be...but if there's a trojan installed
on a system, the admin has more to worry about than
vulnerabilities.
__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Aug 13 2002
Intro
