"Portnoy, Gary" wrote: > > Greetings, > > Can anyone tell me which Windows tool is used to scan for ports 139, 12345, > and 27374. (Example below) This occurs often enough that it makes me think > that it's a tool, I just can't find any mention of it anywhere... The information i have seen indicates that 12345 is a port normally used by Netbus, a Windows trojan horse <http://www.irchelp.org/irchelp/security/netbus.html>. I had someone (on the same cable segment as me) scanning me for the Netbus port 72 times in 10 days. Dunno what he thought he could achieve by repeating so often. I believe port 27374 can be used by a number of things, including the Sub-7 Windows trojan horse <http://www.networkice.com/advice/Exploits/Ports/27374/default.htm> and the Linux Ramen worm <http://www.cert.org/incident_notes/IN-2001-01.html>. I expect what you've got is a script that is scanning for previously-compromised systems. Paul ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 12:41:44 PDT