Re: [NTSEC] Default trojan ports

[larry () sprint ca (Larry Chin)]

check out http://www.simovits.com/nyheter9902.html

===================================================================
Larry Chin {larry () sprint ca}      Technical Specialist - ISC
Sprint Canada                     2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693     Suite 200, North York, Ontario
Fax:   416.498.3507               M2J 5E6
===================================================================

On Mon, 23 Aug 1999, Fred wrote:

> TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo () iss net
> Contact ntsecurity-owner () iss net for help with any problems!
> ---------------------------------------------------------------------------
>
> Hi,
>
> I have found the information posted about trojan ports very informative and
> useful. I am trying to detect and remove any such existing trojan horse
> programs. But finding their hiding places to remove the trojan horse is very
> tedious.
>
> Wonder if anyone know of:
> (i)  Any place where I can get my hands on a compiled listing of these
> trojan horse information, like the exe filenames, size, where they would
> hide, etc..
> (ii)  Any IDS currently available or being developed with trojan horse
> detection mechanisms.
>
> Rgds ..... Fred
>
>
> -----Original Message-----
> From: Joakim von Braun <joakim.von.braun () risab se>
> To: ntsecurity () iss net <ntsecurity () iss net>
> Cc: firewalls () lists gnac com <firewalls () lists gnac com>;
> PacketStorm () genocide2600 com <PacketStorm () genocide2600 com>;
> flashback () flashback se <flashback () flashback se>
> Date: 13 May 1999 02:44
> Subject: [NTSEC] Default trojan ports
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo () iss net
> Contact ntsecurity-owner () iss net for help with any problems!
> ---------------------------------------------------------------------------
>
> After seeing several questions about traffic directed at ports as 31337 and
> 12345 I've put together a list of all trojans known to me and the default
> ports they are using. Of course several of them could use any port, but I
> hope this list will maybe give you a clue of what might be going on.
>
> port       21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,
>                     WinCrash
> port       23 - Tiny Telnet Server
> port       25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz
>                     Stealth, Terminator, WinPC, WinSpy
> port       31 - Hackers Paradise
> port       80 - Executor
> port     456 - Hackers Paradise
> port     555 - Ini-Killer, Phase Zero, Stealth Spy
> port     666 - Satanz Backdoor
> port   1001 - Silencer, WebEx
> port   1011 - Doly Trojan
> port   1170 - Psyber Stream Server, Voice
> port   1234 - Ultors Trojan
> port   1245 - VooDoo Doll
> port   1492 - FTP99CMP
> port   1600 - Shivka-Burka
> port   1807 - SpySender
> port   1981 - Shockrave
> port   1999 - BackDoor
> port   2001 - Trojan Cow
> port   2023 - Ripper
> port   2115 - Bugs
> port   2140 - Deep Throat, The Invasor
> port   2801 - Phineas Phucker
> port   3024 - WinCrash
> port   3129 - Masters Paradise
> port   3150 - Deep Throat, The Invasor
> port   3700 - Portal of Doom
> port   4092 - WinCrash
> port   4590 - ICQTrojan
> port   5000 - Sockets de Troie
> port   5001 - Sockets de Troie
> port   5321 - Firehotcker
> port   5400 - Blade Runner
> port   5401 - Blade Runner
> port   5402 - Blade Runner
> port   5569 - Robo-Hack
> port   5742 - WinCrash
> port   6670 - DeepThroat
> port   6771 - DeepThroat
> port   6969 - GateCrasher, Priority
> port   7000 - Remote Grab
> port   7300 - NetMonitor
> port   7301 - NetMonitor
> port   7306 - NetMonitor
> port   7307 - NetMonitor
> port   7308 - NetMonitor
> port   7789 - ICKiller
> port   9872 - Portal of Doom
> port   9873 - Portal of Doom
> port   9874 - Portal of Doom
> port   9875 - Portal of Doom
> port   9989 - iNi-Killer
> port 10067 - Portal of Doom
> port 10167 - Portal of Doom
> port 11000 - Senna Spy
> port 11223 - Progenic trojan
> port 12223 - Hack´99 KeyLogger
> port 12345 - GabanBus, NetBus
> port 12346 - GabanBus, NetBus
> port 12361 - Whack-a-mole
> port 12362 - Whack-a-mole
> port 16969 - Priority
> port 20001 - Millennium
> port 20034 - NetBus 2 Pro
> port 21544 - GirlFriend
> port 22222 - Prosiak
> port 23456 - Evil FTP, Ugly FTP
> port 26274 - Delta
> port 31337 - Back Orifice
> port 31338 - Back Orifice, DeepBO
> port 31339 - NetSpy DK
> port 31666 - BOWhack
> port 33333 - Prosiak
> port 34324 - BigGluck, TN
> port 40412 - The Spy
> port 40421 - Masters Paradise
> port 40422 - Masters Paradise
> port 40423 - Masters Paradise
> port 40426 - Masters Paradise
> port 47262 - Delta
> port 50505 - Sockets de Troie
> port 50766 - Fore
> port 53001 - Remote Windows Shutdown
> port 61466 - Telecommando
> port 65000 - Devil
>
> You'll find the list on the following address:
> http://www.simovits.com/nyheter9902.html  (still in Swedish but it will be
> translated in the near future).
>
> To help anyone to detect trojan attacks, I´m planning to add information
> about the original names of the executables, their size, where they usually
> are hiding, and the names of any helpfiles they may use. I will also add
> tools or links to tools that may be of your assistance.
>
> Feel free to get back to me with any comments or suggestions. If you find
> new trojans I´ll love to get my hands on them, but please mail me first, as
> I don´t need more than one copy. If you have live experiance of trojan
> attacks I´m interested to read about your findings.
>
> Joakim
>
> joakim.von.braun () risab se