RE: Scanning on tcp port 27374

[JaBenninghoff () DainRauscher com (Benninghoff, John)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Thanks to everyone who responded. I was not aware of the SubSeven Trojan,
but from what I've seen, it's currently the most popular "Back Door" trojan
in use. I've seen many more scans for SubSeven than NetBus or BackOrifice,
the two I already knew of.

I found a description of SubSeven at:
http://vil.nai.com/villib/dispVirus.asp?virus_k=10566 (description of
infection)

Other useful links (sent to me) were:
http://www.simovits.com/nyheter9902.html (list of Trojan ports)
http://www.robertgraham.com/pubs/firewall-seen.html (exellent reference)

As a clarification, these scans were captured using a packet sniffer, *not*
from host activity (fortunately).

-----Original Message-----
From: Benninghoff, John [mailto:JaBenninghoff () DainRauscher com]
Sent: Wednesday, April 26, 2000 2:47 PM
To: ids () uow edu au
Subject: IDS: Scanning on tcp port 27374

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-
Hello all,

I've been lurking on IDS for several months now and I have a question for
the list...

I am currently working with Network ID using SHADOW, and I have seen several
sequential and semi-sequential scans on tcp port 27374. I have not been able
to figure out what exploit or service these scans are looking for, and I was
wondering if anyone knew what service runs on this port, or is it simply an
arbitrary port used by a scanning tool ? Also, has anyone else come across
these types of scans ?

Any info would be appreciated. Thanks.

-------------------------------------
John A Benninghoff
mailto:jabenninghoff () dainrauscher com