Security Incidents mailing list archives

Re: Please help identify this traffic

From: "Leonard S. Dupray Jr." <stealthmode316 () PEOPLEPC COM>
Date: Sat, 12 Aug 2000 16:15:41 -0700

Ralf,
   It looks like some on your your network is trying out the product PC-Duo.

From the logs you have provided, The program will try and discover all the

PC-Duo servers(They call them clients) on the network that the user
provides. Also I have provided links about this product below.

PC-Duo Version 5.03

This program is like PC_Anywhere. It listens on the default ports 7445 and
5405 UDP and TCP. It's default config is also with no password. It lets you
control the machine remotely. So I am assuming that someone is looking for
this server and trying to gain access to that machine. I have provided a URL
for you to take a look at the product and a link that describes this
product. Also I loaded the program up on my Win98 box. And sure enough, it
opened up the 2 ports 7445 and 5405. If you have any other question please
feel free to email me.
http://www.netmedia.fi/Fin/Downloads/pcd32v503.txt
http://www.pc-remote-control.com/

stealthmode316
"Network Investigation Team"
   "It's on in the Year 2000"

----- Original Message -----
From: "Laura Nuñez" <potus () GLACYAR COM AR>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, November 10, 2000 1:51 PM
Subject: Re: Please help identify this traffic

Hi,
I only found 5405 port on IANA assignments, and it was for HP, so i made a
quick search on their site, and appear to be other people questioning

about

scans and OpenView, too. If your bb and cc machines have hp agents

installed

you could ask HP (anybody from HP in the list?) if they could clarify

this.


IANA..>
#    Harold Froehling <hrf () cup hp com>
netsupport 5405/tcp   NetSupport
netsupport 5405/udp   NetSupport

HP 1035 Port..>

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xa0a583667c40d4118feb009

0279cd0f9,00.html

HP 1045 Port...>

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0xcafc6c96588ad4118fef009

0279cd0f9,00.html

Good luck, Laura
---------------------------------------
Laura Nuñez
mailto:potus () glacyar com ar
PGP Fingerprint: 995C 89F3 DAF5 F106 4D6C C4B4 8A0C 832F A2FD 1BBA
PGP Public Key: http://www.glacyar.com.ar/potus.asc
Sitio web: http://www.glacyar.com.ar
Lista Glacyar InfoSec: http://glacyar.listbot.com/
---------------------------------------



-----Mensaje original-----
De: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]En nombre
de Ralf G. R. Bergs
Enviado el: Jueves, 09 de Noviembre de 2000 07:27 a.m.
Para: INCIDENTS () SECURITYFOCUS COM
Asunto: Please help identify this traffic


Hi there,

can anyone shed light on what might be causing the following traffic?

input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:5405 L=64 S=
0x00 I=60730 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:7445 L=64 S=
0x00 I=60986 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:5405 L=64 S=
0x00 I=61242 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:7445 L=64 S=
0x00 I=61498 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:5405 L=64 S=
0x00 I=62266 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.bb:1045 137.226.255.255:7445 L=64 S=
0x00 I=62522 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:5405 L=64 S=
0x00 I=59918 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:7445 L=64 S=
0x00 I=60174 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:5405 L=64 S=
0x00 I=60942 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:7445 L=64 S=
0x00 I=61198 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:5405 L=64 S=
0x00 I=62222 F=0x0000 T=128 (#38)
input DENY eth0 PROTO=17 137.226.aaa.cc:1035 137.226.255.255:7445 L=64 S=
0x00 I=62478 F=0x0000 T=128 (#38)

It started yesterday, and I'm always seeing this very same pattern.

Thanks,

Ralf


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

Current thread:

Please help identify this traffic Ralf G. R. Bergs (Nov 11)
- Re: Please help identify this traffic Laura Nuñez (Nov 13)
  - Re: Please help identify this traffic Leonard S. Dupray Jr. (Nov 13)