TCP connection attempts to port 27374
Hi, I'm curious about numerous (actually 25 in all) TCP connection attempts recently from unprivileged ports to port 27374. Looking at my firewall logs, I see that numerous source IP addresses have been used (generally 3 or 4 attempts per source address) over the last couple of weeks or so. I have a dial-up connection. Searching a recent copy of IANA's port numbers file I see that ports in the range 27008-27998 are unassigned. I'm just curious, my firewall's "deny"-ing the connection attempts. Anyone aware of any reason why port 27374 is being probed? Cheers - Les Catterall
This question, and also the last one on the same theme (port 199) *could* both be caused by the computer that previously used the same IP address. If the previous user of the IP address had a FTP session (or server) to the named machine, then this may be an attempt to establish a data connection. RPC also dynamically assigns port numbers ... If there are a large number of IP addresses involved, then it is possible that the last user of the IP address was running a server (back orifice?:) which was used by a large number of machines. Alternative, one (or none) of those IP addresses is the machine that is performing a general port scan for something like: Trinoo_Bcast 27444/udp # Trinoo distributed attack tool Master -> Bcast Daemon communicationTrinoo_Master 27665/tcp # Trinoo distributed attack tool Master server control port Quake3Server 27960/udp # Quake 3 Arena Server (How can one get packets going to port 199? ssh will establish an outgoing connection from a priveleged port, unless you ask it not to...) &:-) also sprach Les Catterall (Today, 14:22): (shamelessly plagiarised)
Hi,
I'm curious about numerous (actually 25 in all) TCP connection attempts recently from unprivileged ports to port 27374. Looking at my firewall logs, I see that numerous source IP addresses have been used (generally 3 or 4 attempts per source address) over the last couple of weeks or so. I have a dial-up connection.
Searching a recent copy of IANA's port numbers file I see that ports in the range 27008-27998 are unassigned.
I'm just curious, my firewall's "deny"-ing the connection attempts. Anyone aware of any reason why port 27374 is being probed?
Cheers - Les Catterall
andrew@ledge.co.za wrote:
This question, and also the last one on the same theme (port 199) *could* both be caused by the computer that previously used the same IP address. If the previous user of the IP address had a FTP session (or server) to the named machine, then this may be an attempt to establish a data connection. RPC also dynamically assigns port numbers ...
Ageed, in general good points, but it was rather a coincidence that probes for 27374 _only_ were being logged on numerous destination IPs from numerous source IPs.
If there are a large number of IP addresses involved, then it is possible that the last user of the IP address was running a server (back orifice?:) which was used by a large number of machines. Alternative, one (or none) of those IP addresses is the machine that is performing a general port scan for something like:
Trinoo_Bcast 27444/udp # Trinoo distributed attack tool Master -> Bcast Daemon communicationTrinoo_Master 27665/tcp # Trinoo distributed attack tool Master server control port Quake3Server 27960/udp # Quake 3 Arena Server
No - my logs would have recorded them along with those for port 27374. Only port 27374 was probed during these sessions. Some of the probes came from my ISP's IP range, some came from elsewhere. As others have suggested, I'm inclined to think the Windows Subseven Trojan was being searched. Thanks to you and all others for your replies ... Cheers - Les Catterall
A quick search on sans.org for port 27374 gives plenty of answers. 27374 is the default port the Subseven windows trojan uses. -miah On Fri, Dec 15, 2000 at 02:22:31PM +1100, Les Catterall wrote:
Hi,
I'm curious about numerous (actually 25 in all) TCP connection attempts recently from unprivileged ports to port 27374. Looking at my firewall logs, I see that numerous source IP addresses have been used (generally 3 or 4 attempts per source address) over the last couple of weeks or so. I have a dial-up connection.
Searching a recent copy of IANA's port numbers file I see that ports in the range 27008-27998 are unassigned.
I'm just curious, my firewall's "deny"-ing the connection attempts. Anyone aware of any reason why port 27374 is being probed?
Cheers - Les Catterall
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
I'm curious about numerous (actually 25 in all) TCP connection attempts recently from unprivileged ports to port 27374. Looking at my firewall logs, I see that numerous source IP addresses have been used (generally 3 or 4 attempts per source address) over the last couple of weeks or so. I have a dial-up connection. AFAIK it's the default port of the windows trojan subseven.
Christoph
participants (4)
-
andrew@ledge.co.za
-
Christoph Cebulla
-
jjohnson@penguincomputing.com
-
Les Catterall