Re: Application Scanning 1033/tcp?

From: Ned Lowe (ned.loweat_private)
Date: Fri May 31 2002 - 15:54:37 PDT

  • Next message: Muhammad Faisal Rauf Danka: "Re: Application Scanning 1033/tcp?"

    Hi,
    The program is called Netspy:
    
    http://lists.insecure.org/incidents/2001/Feb/0038.html
    
    Hope that helps :)
    
    Ned
    
    ----- Original Message -----
    From: "Crist J. Clark" <crist.clarkat_private>
    To: <incidentsat_private>
    Sent: Friday, May 31, 2002 10:46 PM
    Subject: Application Scanning 1033/tcp?
    
    
    > We've been regularly scanned on port 1033/tcp by a wide variety of IP
    > addresses For example, here are abreviated scans from today between
    > 13:00 and 14:00 PDT,
    >
    >   13:00:08.081482 24-109-22-40.ivideon.com.4092 > my.firewall.com.1033: S
    4162272443:4162272443(0) win 64240  (DF)
    >   13:00:31.773412 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S
    4170831855:4170831855(0) win 64240  (DF)
    >   13:00:34.822231 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S
    4170831855:4170831855(0) win 64240  (DF)
    >   13:00:36.899623 24-109-22-40.ivideon.com.4102 > my.firewall.com.1033: S
    4172312999:4172312999(0) win 64240  (DF)
    >   .
    >   .
    >   .
    >   13:59:41.964667 24-109-22-40.ivideon.com.4745 > my.firewall.com.1033: S
    816514957:816514957(0) win 64240  (DF)
    >   13:59:53.056863 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S
    821747116:821747116(0) win 64240  (DF)
    >   13:59:56.023444 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S
    821747116:821747116(0) win 64240  (DF)
    >   14:00:02.049422 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S
    821747116:821747116(0) win 64240  (DF)
    >
    >   13:21:54.705383 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 >
    my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
    >   13:21:57.607638 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 >
    my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
    >   13:22:03.609713 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 >
    my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
    >   13:22:15.610063 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 >
    my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
    >   .
    >   .
    >   .
    >   13:47:47.681693 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 >
    my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
    >   13:47:50.602002 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 >
    my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
    >   13:47:56.600538 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 >
    my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
    >   13:48:08.599116 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 >
    my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
    >
    >   13:51:55.458288 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 >
    my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
    >   13:51:58.402493 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 >
    my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
    >   13:52:04.290740 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 >
    my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
    >   13:52:25.392798 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4956 >
    my.firewall.com.1033: S 2645190207:2645190207(0) win 64240  (DF)
    >   .
    >   .
    >   .
    >   13:54:06.067548 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4975 >
    my.firewall.com.1033: S 2669006106:2669006106(0) win 64240  (DF)
    >   13:54:06.073626 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4974 >
    my.firewall.com.1033: S 2668952197:2668952197(0) win 64240  (DF)
    >   13:54:06.078158 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4973 >
    my.firewall.com.1033: S 2668896132:2668896132(0) win 64240  (DF)
    >   13:54:06.269224 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4976 >
    my.firewall.com.1033: S 2669108864:2669108864(0) win 64240  (DF)
    >
    >   13:26:52.440778 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 >
    my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
    >   13:26:55.352418 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 >
    my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
    >   13:27:01.348100 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 >
    my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
    >   13:27:13.346008 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 >
    my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
    >
    > Comapring these two the outgoing traffic, I can correlate most of
    > these to outgoing connection attempts to these machine from out
    > network. That is, someone inside our network connects out to these
    > machines which then try to connect back in on 1033. However, the
    > outgoing connections are to a whole bunch of different TCP port
    > numbers and never to 1033/tcp.
    >
    > I am having trouble figuring out what exactly they are looking for at
    > 1033/tcp. My first concern was this was some kind of trojan or malware
    > phoning home and the remote controllers were trying to call back on
    > 1033, but I've found no known trojans that listen on 1033. My other
    > suspicion is one of the zillion peer-to-peer file sharing protocols,
    > but again, no luck in finding one that uses 1033.
    >
    > Anyone know what uses 1033/tcp? I've looked at all of the usual web
    > resources (please don't give out URLs of port lists unless you've
    > checked that the list does include 1033) and haven't found it.
    > --
    > Crist J. Clark                     |     cjclarkat_private
    >                                    |     cjclarkat_private
    > http://people.freebsd.org/~cjc/    |     cjcat_private
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 16:01:52 PDT