Security Incidents: Re: Strange back-orifice looking scan...

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Strange back-orifice looking scan...

From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Wed, 04 Sep 2002 21:09:46 +0000

Hey Jeff,

Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port thatthe "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k akaDeepBO (this is a special release of BO btw).

It appears the attacker may be doing one of two things:

a/ He/she has somehow manipulated Kazaa to scan not for other Kazaa users onport 1214, but to scan for BO infected machines on port 31336.The other possibility is simple - theyve written a scanner or customised thesettings of a current scanner to have the local scanning port on port 1214to make it look like its Kazaa doing it automatically, however they areactively portscanning either your network I wasnt sure if it was a networkyou had) or just your lone box.

This is just a suggestion, but the best one I could come up with :)

To check the validity of my theory, if it is a box with Kazaa operating onit it should have port 80 open if i recall, showing all shared files withinthe Kazaa program - they may have patched this in the later versions thathave been released lately of course :)

Hope this helps you


Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

From: Jeff Kell <jeff-kell () utc edu>
To: Incidents List <incidents () securityfocus com>
Subject: Strange back-orifice looking scan...
Date: Wed, 04 Sep 2002 12:08:48 -0400
This popped up on ingress this morning, apparently with forged sourceaddresses (given the timing). Didn't get a packet capture but just
the signature (we block Back Orifice ports):
Sep 4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packetSep 4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet
Any clues on this one?  Looks new to me...

Jeff


_________________________________________________________________

MSN Photos is the easiest way to share and print your photos:http://photos.msn.com/support/worldwide.aspx



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

Strange back-orifice looking scan... Jeff Kell (Sep 04)
- <Possible follow-ups>
- Re: Strange back-orifice looking scan... KoRe MeLtDoWn (Sep 05)
  - Re: Strange back-orifice looking scan... Jeff Kell (Sep 05)
- Re: Strange back-orifice looking scan... Neil Dickey (Sep 05)
  - Re: Strange back-orifice looking scan... Scott Nursten (Sep 11)