Re: Firewall hits/unknown ports

From: Glenn Forbes Fleming Larratt (glrattat_private)
Date: Sun Nov 04 2001 - 19:28:29 PST

  • Next message: Loki: "RE: Firewall hits/unknown ports" 

    You might look at (and provide) what they're using for a "source" port -
I've seen numerous "reverse http" and "reverse telnet" scans, where
a source port of 80 or 23 is used. Such a approach could fool
a stateless firewall or IDS.

	-g

On Sun, 4 Nov 2001 bonkat_private wrote:

> Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
> Snort.org doesn't list these.
	:
	:
	:
> 22634		24.254.60.19		unknown		Nov  3 23:49:26
> 22634		24.254.60.19		unknown		Nov  3 23:48:26
> 22634		24.254.60.19		unknown		Nov  3 23:47:26
> 22634		24.254.60.19		unknown		Nov  3 23:46:26
> 22634		24.254.60.19		unknown		Nov  3 23:45:26
> 22634		24.254.60.19		unknown		Nov  3 23:44:26
> 22634		24.254.60.19		unknown		Nov  3 23:43:26
> 22634		24.254.60.19		unknown		Nov  3 23:42:26
> 22634		24.254.60.19		unknown		Nov  3 23:41:53
> 22634		24.254.60.19		unknown		Nov  3 23:41:36
> 22634		24.254.60.19		unknown		Nov  3 23:41:28


				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glrattat_private


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Sun Nov 04 2001 - 19:36:02 PST