Last week I received spam complaints against 4 different customers, all the same message and all with no knowledge of the incident. The only similarity I could find was port 608 open on each user's machine. Telnet to this port returned a number sequence, and successive telnets increased the number returned. Each customer found a trojan/backdoor installed, but not all the same one. -----Original Message----- From: Andrey G. Sergeev (AKA Andris) [mailto:andrisat_private] Sent: Saturday, August 31, 2002 10:06 AM To: Incidents List Subject: Any tcp/608 activity? Hello! Did anyone here seen *any* activity, either legal or suspicious, on TCP port 608 for, say, past 3 months? My question _isn't related_ to Sender-Initiated/Unsolicited File Transfer proto (RFC 1440) although I'm still interested in your comments if you're using this service and have some records in the SIFT-UFT daemon logs saying something like "Unrecognized command", "Invalid data", "Bad request" and so on. Thanks. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 13:24:24 PDT