Hey Jeff, Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port that the "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k aka DeepBO (this is a special release of BO btw). It appears the attacker may be doing one of two things: a/ He/she has somehow manipulated Kazaa to scan not for other Kazaa users on port 1214, but to scan for BO infected machines on port 31336. The other possibility is simple - theyve written a scanner or customised the settings of a current scanner to have the local scanning port on port 1214 to make it look like its Kazaa doing it automatically, however they are actively portscanning either your network I wasnt sure if it was a network you had) or just your lone box. This is just a suggestion, but the best one I could come up with :) To check the validity of my theory, if it is a box with Kazaa operating on it it should have port 80 open if i recall, showing all shared files within the Kazaa program - they may have patched this in the later versions that have been released lately of course :) Hope this helps you Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? >From: Jeff Kell <jeff-kellat_private> >To: Incidents List <incidentsat_private> >Subject: Strange back-orifice looking scan... >Date: Wed, 04 Sep 2002 12:08:48 -0400 > >This popped up on ingress this morning, apparently with forged source >addresses (given the timing). Didn't get a packet capture but just >the signature (we block Back Orifice ports): > >Sep 4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet >Sep 4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp >146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet > >Any clues on this one? Looks new to me... > >Jeff _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 08:56:49 PDT