Security Incidents mailing list archives

Re: Guess the tool...

From: Paul Gear <paulgear () bigfoot com>
Date: Wed, 12 Sep 2001 05:27:09 +1000

"Portnoy, Gary" wrote:


Greetings,

Can anyone tell me which Windows tool is used to scan for ports 139, 12345,
and 27374.  (Example below) This occurs often enough that it makes me think
that it's a tool, I just can't find any mention of it anywhere...


The information i have seen indicates that 12345 is a port normally
used by Netbus, a Windows trojan horse
<http://www.irchelp.org/irchelp/security/netbus.html>.  I had someone
(on the same cable segment as me) scanning me for the Netbus port 72
times in 10 days.  Dunno what he thought he could achieve by repeating
so often.

I believe port 27374 can be used by a number of things, including the
Sub-7 Windows trojan horse
<http://www.networkice.com/advice/Exploits/Ports/27374/default.htm>
and the Linux Ramen worm
<http://www.cert.org/incident_notes/IN-2001-01.html>.

I expect what you've got is a script that is scanning for
previously-compromised systems.

Paul

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Guess the tool... Portnoy, Gary (Sep 11)
- Re: Guess the tool... H C (Sep 11)
- Re: Guess the tool... Paul Gear (Sep 11)
- <Possible follow-ups>
- RE: Guess the tool... Portnoy, Gary (Sep 12)