Security Incidents: Re: Port 1975 rogue service

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Port 1975 rogue service

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sat, 2 Nov 2002 18:41:55 -0500 (EST)


Just in case some list readers are wondering *why* this looks like an
FTP server, it's because of the "220-" lines, where 220 is a standard
status code.  FTP banners typically have multiple "220-" lines, and
the final banner line is a "220 " (the "-" is used to say "more lines
are coming.")

Even without knowing this signature of the FTP protocol, the banner
messages suggest a multi-user server ("leechers logged in") which is
used for data transfer ("kb leeched" and "kb filled").

- Steve

P.S.  To oversimplify, this is the sort of protocol-level knowledge
that might be expected of people with lower-level GIAC certifications
rather than broad-based CISSP certifications.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

Re: Port 1975 rogue service H C (Oct 31)
- <Possible follow-ups>
- Re: Port 1975 rogue service Christopher E. Cramer (Oct 31)
- Fw: Port 1975 rogue service Dean Farrington (Nov 02)
- Re: Port 1975 rogue service Steven M. Christey (Nov 02)
  - RE: Port 1975 rogue service Stacy Olivas (Nov 04)
- Re: Port 1975 rogue service H C (Nov 05)