Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
AW: [suse-security] compromised?
  • From: "Stiefenhofer, Marek ECOFIS" <m.stiefenhofer@xxxxxxxxx>
  • Date: Fri, 9 Feb 2001 10:55:35 +0100
  • Message-id: <5F4F3628E7EFD411AA570090270F781406C2BC@xxxxxxxxxxxxxx>
>Maybe you used gnutella to upload or
>download files. The connection attempts (coming from an ip range assigned
to
>Chungwha Telecom, Taipei, Taiwan) may have been caused by an user of this
>network desperately trying to download a file you offered shareable via
>gnutella.

>On the other hand, port 27374 is used by a trojan called SubSeven, a
malware
>for Win. If the scans to either 6346 and 27374 come from the same IP
addresses
>the person on the other end maybe is up to finding some vulnerable Windows
boxes
>to take over.

The second version seems more reasonable to me. As the logfiles show - only
the SYN-Flag was set. This usually indicates no established connection
(ACK-Flag is set), but a so called half-open scan to find out about open or
even filtered ports. I guess some script-kiddie scanned for known
w$-trojans...

Regards,
Marek

< Previous Next >
This Thread
  • No further messages