Re: Strange back-orifice looking scan...

From: KoRe MeLtDoWn (koremeltdownat_private)
Date: Wed Sep 04 2002 - 14:09:46 PDT

Next message: Jeff Kell: "Re: Strange back-orifice looking scan..."

Previous message: Garramone, Michael (CCI-Las Vegas): "RE: Any tcp/608 activity?"
Maybe in reply to: Jeff Kell: "Strange back-orifice looking scan..."
Next in thread: Jeff Kell: "Re: Strange back-orifice looking scan..."
Reply: Jeff Kell: "Re: Strange back-orifice looking scan..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Jeff,
Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port that 
the "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k aka 
DeepBO (this is a special release of BO btw).
It appears the attacker may be doing one of two things:
a/ He/she has somehow manipulated Kazaa to scan not for other Kazaa users on 
port 1214, but to scan for BO infected machines on port 31336.
The other possibility is simple - theyve written a scanner or customised the 
settings of a current scanner to have the local scanning port on port 1214 
to make it look like its Kazaa doing it automatically, however they are 
actively portscanning either your network I wasnt sure if it was a network 
you had) or just your lone box.
This is just a suggestion, but the best one I could come up with :)
To check the validity of my theory, if it is a box with Kazaa operating on 
it it should have port 80 open if i recall, showing all shared files within 
the Kazaa program - they may have patched this in the later versions that 
have been released lately of course :)
Hope this helps you


Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

>From: Jeff Kell <jeff-kellat_private>
>To: Incidents List <incidentsat_private>
>Subject: Strange back-orifice looking scan...
>Date: Wed, 04 Sep 2002 12:08:48 -0400
>
>This popped up on ingress this morning, apparently with forged source 
>addresses (given the timing).  Didn't get a packet capture but just
>the signature (we block Back Orifice ports):
>
>Sep  4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep  4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 
>146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet
>
>Any clues on this one?  Looks new to me...
>
>Jeff

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeff Kell: "Re: Strange back-orifice looking scan..."
Previous message: Garramone, Michael (CCI-Las Vegas): "RE: Any tcp/608 activity?"
Maybe in reply to: Jeff Kell: "Strange back-orifice looking scan..."
Next in thread: Jeff Kell: "Re: Strange back-orifice looking scan..."
Reply: Jeff Kell: "Re: Strange back-orifice looking scan..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 08:56:49 PDT