Hi, The program is called Netspy: http://lists.insecure.org/incidents/2001/Feb/0038.html Hope that helps :) Ned ----- Original Message ----- From: "Crist J. Clark" <crist.clarkat_private> To: <incidentsat_private> Sent: Friday, May 31, 2002 10:46 PM Subject: Application Scanning 1033/tcp? > We've been regularly scanned on port 1033/tcp by a wide variety of IP > addresses For example, here are abreviated scans from today between > 13:00 and 14:00 PDT, > > 13:00:08.081482 24-109-22-40.ivideon.com.4092 > my.firewall.com.1033: S 4162272443:4162272443(0) win 64240 (DF) > 13:00:31.773412 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240 (DF) > 13:00:34.822231 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240 (DF) > 13:00:36.899623 24-109-22-40.ivideon.com.4102 > my.firewall.com.1033: S 4172312999:4172312999(0) win 64240 (DF) > . > . > . > 13:59:41.964667 24-109-22-40.ivideon.com.4745 > my.firewall.com.1033: S 816514957:816514957(0) win 64240 (DF) > 13:59:53.056863 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF) > 13:59:56.023444 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF) > 14:00:02.049422 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF) > > 13:21:54.705383 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF) > 13:21:57.607638 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF) > 13:22:03.609713 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF) > 13:22:15.610063 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF) > . > . > . > 13:47:47.681693 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF) > 13:47:50.602002 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF) > 13:47:56.600538 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF) > 13:48:08.599116 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF) > > 13:51:55.458288 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF) > 13:51:58.402493 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF) > 13:52:04.290740 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF) > 13:52:25.392798 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4956 > my.firewall.com.1033: S 2645190207:2645190207(0) win 64240 (DF) > . > . > . > 13:54:06.067548 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4975 > my.firewall.com.1033: S 2669006106:2669006106(0) win 64240 (DF) > 13:54:06.073626 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4974 > my.firewall.com.1033: S 2668952197:2668952197(0) win 64240 (DF) > 13:54:06.078158 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4973 > my.firewall.com.1033: S 2668896132:2668896132(0) win 64240 (DF) > 13:54:06.269224 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4976 > my.firewall.com.1033: S 2669108864:2669108864(0) win 64240 (DF) > > 13:26:52.440778 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF) > 13:26:55.352418 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF) > 13:27:01.348100 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF) > 13:27:13.346008 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF) > > Comapring these two the outgoing traffic, I can correlate most of > these to outgoing connection attempts to these machine from out > network. That is, someone inside our network connects out to these > machines which then try to connect back in on 1033. However, the > outgoing connections are to a whole bunch of different TCP port > numbers and never to 1033/tcp. > > I am having trouble figuring out what exactly they are looking for at > 1033/tcp. My first concern was this was some kind of trojan or malware > phoning home and the remote controllers were trying to call back on > 1033, but I've found no known trojans that listen on 1033. My other > suspicion is one of the zillion peer-to-peer file sharing protocols, > but again, no luck in finding one that uses 1033. > > Anyone know what uses 1033/tcp? I've looked at all of the usual web > resources (please don't give out URLs of port lists unless you've > checked that the list does include 1033) and haven't found it. > -- > Crist J. Clark | cjclarkat_private > | cjclarkat_private > http://people.freebsd.org/~cjc/ | cjcat_private > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 16:01:52 PDT