Preston, > I've seen quite a bit of traffic on ports tcp/12345 > and tcp/27374. > According to what I've seen, 27374 is a port used by > quite a few versions of SubSeven, A couple of things...first, port 27374 is the default port for both SubSeven, as well as the Ramen worm (Linux). Therefore, a SYN packet destined for that port is, in and of itself, inconclusive. Second, I'm sure you're aware that default ports are just that, and in many cases, configurable. > as for 12345, it's not mentioned that subseven > runs on that port (that I've seen) It's NetBus's default port (1.7x and previous versions). > but I am seeing attempted > connections to these ports at the same time (maybe > some other vuln > attempt I'm not aware of? anyone?). Hope that > helps. Given that these SYN packets are dropped by the f/w (in most cases), they simply seem to be scans at this point. As far as vulnerabilities are concerned, they may or may not be...but if there's a trojan installed on a system, the admin has more to worry about than vulnerabilities. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 08:31:11 PDT