Intrusion Detection Systems mailing list archives

Re: RE: Scanning on tcp port 27374

From: mcondy () gssec bt co uk (Mike Condy)
Date: Fri, 28 Apr 2000 11:17:43 +0100


"Benninghoff, John" wrote:

A commercial product is available that scans systems for trojans: Cybersight.
Testing shows it can detect variants not previously in its fingerprint database.
The product can clean up and will report to a central console.

I believe a cut-down version is available for trial this simply reports the
detection on the machine itself.

Mike Condy
----------------------------
Volum cum Scentia

-----------------------------------------------------------------------------
Thanks to everyone who responded. I was not aware of the SubSeven Trojan,
but from what I've seen, it's currently the most popular "Back Door" trojan
in use. I've seen many more scans for SubSeven than NetBus or BackOrifice,
the two I already knew of.

I found a description of SubSeven at:
http://vil.nai.com/villib/dispVirus.asp?virus_k=10566 (description of
infection)

Other useful links (sent to me) were:
http://www.simovits.com/nyheter9902.html (list of Trojan ports)
http://www.robertgraham.com/pubs/firewall-seen.html (exellent reference)

As a clarification, these scans were captured using a packet sniffer, *not*
from host activity (fortunately).

-----Original Message-----
From: Benninghoff, John [mailto:JaBenninghoff () DainRauscher com]
Sent: Wednesday, April 26, 2000 2:47 PM
To: ids () uow edu au
Subject: IDS: Scanning on tcp port 27374

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
----------------------------------------------------------------------------
-
Hello all,

I've been lurking on IDS for several months now and I have a question for
the list...

I am currently working with Network ID using SHADOW, and I have seen several
sequential and semi-sequential scans on tcp port 27374. I have not been able
to figure out what exploit or service these scans are looking for, and I was
wondering if anyone knew what service runs on this port, or is it simply an
arbitrary port used by a scanning tool ? Also, has anyone else come across
these types of scans ?

Any info would be appreciated. Thanks.

-------------------------------------
John A Benninghoff
mailto:jabenninghoff () dainrauscher com


<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Card for Mike Condy
</UL>

Current thread:

Re: strings in backdoor binaries, (continued)
- - - Re: strings in backdoor binaries Gary Flynn (Apr 28)
    - Re: strings in backdoor binaries DPG (Apr 28)
    - Re: strings in backdoor binaries Jonas Eriksson (Apr 29)
    - Re: strings in backdoor binaries Jonas Eriksson (Apr 29)
    - Sniffing.... SatyaNarayana ANV (Apr 29)
    - RE: Scanning on tcp port 27374 Thomas J. Arseneault (Apr 27)
    - Re: Scanning on tcp port 27374 Talisker (Apr 27)
    - Fwd: Re: Part 2 Scanning on tcp port 27374 Lachlan Cranswick (Apr 27)
    - Re: Fwd: Re: Part 2 Scanning on tcp port 27374 DPG (Apr 28)
    - RE: Scanning on tcp port 27374 Benninghoff, John (Apr 27)
    - Re: RE: Scanning on tcp port 27374 Mike Condy (Apr 28)
  - Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook 宏一 (Apr 28)