Then let me provide a rebuttal rant. I don't see any issue with his question. What if perhaps one of us on this list recognizes those ports as being an unreleased trojan that has not hit Bugtraq? I see no issues with him raising his question to this list. Instead, let me ask you this. Should we promote the public reprimand of an individual for what he believes to be a valid question that others might see, forcing them into hiding where further questions might have been posed? Do you want to claim the responsibility of being the one to send them into hiding? In my world, there are no such thing as stupid questions in this industry. I remind you that this industry itself is quite young. Therefore we are all learning as we go. I think a more appropriate response would have been just your suggestions to use the sniffer and try locally connecting to those listening ports. I do remind you, egos in this industry are the largest cause of people not learning more than they already know. I also remind you that they cause others to be afraid to ask what could have been, questions that benefit others. If we are not a part of the solution, we are part of the problem. ===================================================== Loki Founder/Chief Research Scientist Fate Research Labs United States VPN Division [e] lokiat_private [w] www.fatelabs.com ----------------------------------------------------- "You know how you have that dent above your upper lip? Well at the beginning of time I told you a secret and put my finger there and said, shhh" - Fate Research Labs Long Live Our Reign ===================================================== -----Original Message----- From: Stephen [mailto:sa7oriat_private] Sent: Sunday, November 04, 2001 9:39 PM To: incidentsat_private Subject: Re: Firewall hits/unknown ports <RANT> I dont want to sound like a pompous arse, but I think we should be careful with asking questions like this. In the tradition of making oversimilified and romantic analogies to the biological world, the internet, and the world's public networks are like forrests. There is a certain degree of chaos and a certain degree of natural order to their basic operation. the chaos factor comes from the human interaction with teh technology. </RANT> Trojans, and backdoors are equally as unpredictable. you can with one line (in inetd) append a line binding a shell to ANY port. You can write ANY number of programs or scripts to do the same on unprivileged ports without root. from the network stuff like that is even less predicatable because of the plethora of client connection initiation done BEHIND the firewall. some innocuous client software could use the higher port numbers for nonpassive communication or something. it could be anything. have you tried to connect to the host targeted on that port? throwing shell commands at it? if you have console access to teh machine, look at all process, if there is a live connection, sniff it. the wilderness of our networks can be incredibly dynamic, we have to cope with this, and be innovative and dilligent in our conquest to grok the vast expanse of information. do your part to contribute to the "bodiless exhultation that is the matrix". heh. oi. BRAAAAAAZIILLLLLLLL!. On Sun, 4 Nov 2001 bonkat_private wrote: > > > Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ? > Snort.org doesn't list these. > > > > > > 80 24.23.170.219 http Nov 4 03:56:14 > 80 24.23.19.114 http Nov 4 03:13:24 > 80 24.23.170.219 http Nov 4 02:57:32 > 80 24.23.170.219 http Nov 4 02:57:29 > 80 24.23.170.219 http Nov 4 02:44:27 > 80 24.23.170.219 http Nov 4 02:08:54 > 80 24.23.170.219 http Nov 4 02:08:51 > 80 24.100.151.92 http Nov 4 02:01:11 > 80 24.100.151.92 http Nov 4 02:01:08 > 80 24.214.18.131 http Nov 4 00:57:24 > 80 67.164.189.42 http Nov 4 00:16:15 > 25 67.164.189.42 smtp Nov 4 00:16:14 > 110 67.164.189.42 pop3 Nov 4 00:16:14 > 21 67.164.189.42 ftp Nov 4 00:16:13 > 7 67.164.189.42 echo Nov 4 00:16:13 > 53 67.164.189.42 domain Nov 4 00:16:09 > 22634 24.254.60.19 unknown Nov 3 23:49:26 > 22634 24.254.60.19 unknown Nov 3 23:48:26 > 22634 24.254.60.19 unknown Nov 3 23:47:26 > 22634 24.254.60.19 unknown Nov 3 23:46:26 > 22634 24.254.60.19 unknown Nov 3 23:45:26 > 22634 24.254.60.19 unknown Nov 3 23:44:26 > 22634 24.254.60.19 unknown Nov 3 23:43:26 > 22634 24.254.60.19 unknown Nov 3 23:42:26 > 22634 24.254.60.19 unknown Nov 3 23:41:53 > 22634 24.254.60.19 unknown Nov 3 23:41:36 > 22634 24.254.60.19 unknown Nov 3 23:41:28 > 80 24.23.170.219 http Nov 3 23:39:37 > 80 24.51.8.166 http Nov 3 22:57:26 > 80 24.51.8.166 http Nov 3 22:57:23 > 80 24.23.170.219 http Nov 3 22:47:18 > 80 24.23.170.219 http Nov 3 22:47:15 > 21 80.11.127.241 ftp Nov 3 22:39:47 > 21 80.11.127.241 ftp Nov 3 22:39:41 > 80 24.23.19.114 http Nov 3 22:29:26 > 80 24.23.19.114 http Nov 3 22:29:23 > 80 24.23.170.219 http Nov 3 22:13:45 > 80 24.23.170.219 http Nov 3 22:01:43 > 80 24.23.170.219 http Nov 3 22:01:40 > 80 24.23.19.114 http Nov 3 21:30:41 > 80 24.23.19.114 http Nov 3 21:30:38 > 27374 24.19.71.108 Sub7 Nov 3 21:18:13 > 27374 24.19.71.108 Sub7 Nov 3 21:18:01 > 27374 24.19.71.108 Sub7 Nov 3 21:17:55 > 27374 24.19.71.108 Sub7 Nov 3 21:17:52 > 80 24.23.19.114 http Nov 3 20:44:14 > 80 24.23.19.114 http Nov 3 20:44:11 > 80 24.23.19.114 http Nov 3 20:34:55 > 80 24.23.19.114 http Nov 3 20:34:52 > 80 24.23.19.114 http Nov 3 20:18:01 > 80 24.23.19.114 http Nov 3 20:17:58 > 80 24.23.170.219 http Nov 3 20:17:05 > 80 24.23.170.219 http Nov 3 20:10:24 > 80 24.23.170.219 http Nov 3 20:10:22 > 34554 24.254.60.39 unknown Nov 3 20:01:40 > 80 24.23.170.219 http Nov 3 20:01:04 > 80 24.23.170.219 http Nov 3 20:01:02 > 34554 24.254.60.39 unknown Nov 3 20:00:40 > 34554 24.254.60.39 unknown Nov 3 19:59:40 > 34554 24.254.60.39 unknown Nov 3 19:58:40 > 34554 24.254.60.39 unknown Nov 3 19:57:40 > 34554 24.254.60.39 unknown Nov 3 19:56:40 > 34554 24.254.60.39 unknown Nov 3 19:55:40 > 34554 24.254.60.39 unknown Nov 3 19:55:02 > 34554 24.254.60.39 unknown Nov 3 19:54:43 > 34554 24.254.60.39 unknown Nov 3 19:54:33 > 53 202.138.113.150 domain Nov 3 19:54:12 > 53 202.138.113.150 domain Nov 3 19:54:06 > 53 202.138.113.150 domain Nov 3 19:54:03 > 27374 24.156.37.3 Sub7 Nov 3 19:42:12 > 27374 24.156.37.3 Sub7 Nov 3 19:42:06 > 27374 24.156.37.3 Sub7 Nov 3 19:42:02 > 80 24.23.19.114 http Nov 3 19:23:08 > 80 24.23.19.114 http Nov 3 19:23:05 > 111 211.112.143.2 sunrpc Nov 3 19:22:33 > 80 24.23.19.114 http Nov 3 19:21:11 > 80 24.23.19.114 http Nov 3 19:21:07 > 80 24.23.19.114 http Nov 3 19:11:52 > 80 24.23.19.114 http Nov 3 19:11:49 > 80 24.16.82.182 http Nov 3 16:25:40 > 80 24.16.82.182 http Nov 3 16:25:37 > 80 24.12.210.113 http Nov 3 15:50:57 > 80 24.12.210.113 http Nov 3 15:50:54 > 29319 24.254.60.33 unknown Nov 3 10:13:09 > 29319 24.254.60.33 unknown Nov 3 10:12:09 > 29319 24.254.60.33 unknown Nov 3 10:11:09 > 29319 24.254.60.33 unknown Nov 3 10:10:09 > 29319 24.254.60.33 unknown Nov 3 10:09:09 > 29319 24.254.60.33 unknown Nov 3 10:08:09 > 29319 24.254.60.33 unknown Nov 3 10:07:09 > 29319 24.254.60.33 unknown Nov 3 10:06:33 > 29319 24.254.60.33 unknown Nov 3 10:06:15 > 29319 24.254.60.33 unknown Nov 3 10:06:06 > 80 213.96.11.21 http Nov 3 09:52:33 > 515 157.238.46.30 printer Nov 3 08:15:20 > 515 157.238.46.30 printer Nov 3 08:15:17 > 111 211.100.18.45 sunrpc Nov 3 07:54:16 > 111 211.100.18.45 sunrpc Nov 3 07:54:13 > 80 24.234.87.155 http Nov 3 06:15:40 > 80 24.234.87.155 http Nov 3 06:15:37 > > > > > Bonk > Bonkat_private > > > ================================================ > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 04 2001 - 22:14:34 PST