12345 is a well-known port for trojans (mainly Netbus). With the wide-deployment of the the crc32 compensation attack detector exploit, and according with the analysis made by Dave Dittrich (http://www.securityfocus.com/archive/1/225543), this port is also a backdoor for compromised systems. I guess we will be seeing an increase on port 12345 (and also 3879 -- see analysis doc) for the next days. Round here, the last scan was made on Nov 4 from a dial-up box in France. PS.: I've checked the existence of such a backdoor (TCP/12345) on a Swedish box who scanned my half C class for port 22. I didn't log the entire packets but origin was always port 22. Maybe a script using synscan? Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardosoat_private http://www.whatevernet.com/ > > > I send off the file to all those who requested and there has been a few > updates since... > > one, i orginal IRC stated was WRONG. > > irc.ozmatrix.com > chat.ozmatrix.com > > They also have a web site. > > http://www.geocities.com/ircx_chat/ > > um, now its scanning for port 12345 along with scanning for sub7. > > Anyone pick up an increase in scans in port 12345 let me know... > > Thanks > Brice Carlson > > _____ > > If i was supposed to of emailed you the program and you didn't recieve it > please email me again. put sub7 in the subject and make it caps. > Tis i only > got 400 emails a day. Thanks... > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 10:15:23 PST