Mailinglist Archive: opensuse-security (331 mails)
| < Previous | Next > |
Re: [suse-security] scan to service 161
- From: Nix <suse@xxxxxxxxxxxxxxx>
- Date: Sat, 30 Sep 2000 09:25:19 +0800
- Message-id: <5.0.0.25.0.20000930090857.00ac0d08@xxxxxxxxxxxxxxxxxxxx>
Hmmm,
looks like I'm weighing into this discussion a little late, but I've been working in Asia (Singapore and Hong Kong) for the last couple of weeks and haven't had a chance to catch up on "non-critical" email. (Sydney is just a "little" busy at the moment and as my house is 10min from olympic stadium....)
Anyways.. back to the picture..
What everyone seems to have missed here is:
>I am getting scans to port 161/tcp from the scanners port 1234 . I
>checked the etc/services file port 1234 is search agent for Infoseek and
>161 is snmp.
Port 161/UDP is snmp... SNMP does not use TCP.
I'd guess that there is either a new trojan "doing the rounds" or that someone
you know has emailed you a trojanised exe configured to run on port 161
in the hope that you'd run it...
I have attached a common list of trojan ports if anyone else is interested.
Cheers
Nix
BTW: I have changed email addresses from nix@xxxxxxxxx to aid in sorting email,
hope it doesn't confuse anyone... :-P~~
At 08:07 PM 14/09/2000, you wrote:
Peter Nixon
Senior Security Consultant
ITAC: Leaders in IT security
http://www.itaudit.com.au
mailto:petern@xxxxxxxxxxxxxx
DISCLAIMER: The information contained in this email message and in any
annexure is confidential to the recipient and may contain privileged
information.
If you are not the intended recipient, please advise us immediately by
return email (or telephone our Head Office on +61 2 6251 8585) and delete
the message along with any annexure. You should not disclose, copy or
otherwise use the information contained in the message or any annexure.
Any views expressed in this email are those of the individual sender except
where the sender specifically states them to be the views of ITAC.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda,Shtrilitz,Stealth, Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - HackĀ“99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 53420 - Back Orifice 2000
port 61466 - Telecommando
port 65000 - Devil
keep in mind many of these are the default ports for trojans, a
reconfigured server may utilise other ports. These ports are mostly
TCP for the standard remote connection, other services such as ftp
within a bundled feature trojan, such as netbus or BO will use a port on
UDP, typically the next port number along. All credit goes to Ken
Williams
looks like I'm weighing into this discussion a little late, but I've been working in Asia (Singapore and Hong Kong) for the last couple of weeks and haven't had a chance to catch up on "non-critical" email. (Sydney is just a "little" busy at the moment and as my house is 10min from olympic stadium....)
Anyways.. back to the picture..
What everyone seems to have missed here is:
>I am getting scans to port 161/tcp from the scanners port 1234 . I
>checked the etc/services file port 1234 is search agent for Infoseek and
>161 is snmp.
Port 161/UDP is snmp... SNMP does not use TCP.
I'd guess that there is either a new trojan "doing the rounds" or that someone
you know has emailed you a trojanised exe configured to run on port 161
in the hope that you'd run it...
I have attached a common list of trojan ports if anyone else is interested.
Cheers
Nix
BTW: I have changed email addresses from nix@xxxxxxxxx to aid in sorting email,
hope it doesn't confuse anyone... :-P~~
At 08:07 PM 14/09/2000, you wrote:
bolo@xxxxxxx started typing into the keyboard and wrote:
>
> snmp version 1 and 2 is available for linux although not installed by default,
> so an attacker can not leak information out of your linux system if you didn't
> install snmp.
>
Well thanks for the info and I already checked my installation and thank
god found that it is not installed.
semat started typing into the keyboard and wrote:
>
> Oh and also one other thing you can do is to set certain directories that
> should not change to neing read-only for example /sbin /bin /usr/bin /lib
> /dev with chattr +i <directory> if you don't make alot of changes in etc
> you can also set it read-only and remove it whenever you have to make
> changes.
>
I am considering this yet but /dev part does not sound correct to me
what about the hard disk access that is done thru trusted users and
services. Correct me if I am wrong but the /dev access should be as I
understand it thru the use of groups ie disk or video or dialout.
--
Togan Muftuoglu
toganm@xxxxxxxx
--snip--
Peter Nixon
Senior Security Consultant
ITAC: Leaders in IT security
http://www.itaudit.com.au
mailto:petern@xxxxxxxxxxxxxx
DISCLAIMER: The information contained in this email message and in any
annexure is confidential to the recipient and may contain privileged
information.
If you are not the intended recipient, please advise us immediately by
return email (or telephone our Head Office on +61 2 6251 8585) and delete
the message along with any annexure. You should not disclose, copy or
otherwise use the information contained in the message or any annexure.
Any views expressed in this email are those of the individual sender except
where the sender specifically states them to be the views of ITAC.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda,Shtrilitz,Stealth, Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - HackĀ“99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 53420 - Back Orifice 2000
port 61466 - Telecommando
port 65000 - Devil
keep in mind many of these are the default ports for trojans, a
reconfigured server may utilise other ports. These ports are mostly
TCP for the standard remote connection, other services such as ftp
within a bundled feature trojan, such as netbus or BO will use a port on
UDP, typically the next port number along. All credit goes to Ken
Williams
| < Previous | Next > |