IDS Archives: IDS: Re: [NTSEC] Default trojan ports
IDS: Re: [NTSEC] Default trojan ports
Larry Chin (larry
sprint.ca)
Thu, 26 Aug 1999 15:22:26 -0400 (EDT)
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------
---
check out http://www.simovits.com/nyheter9902.html
===================================================================
Larry Chin {larrysprint.ca} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
On Mon, 23 Aug 1999, Fred wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomoiss.net
> Contact ntsecurity-owneriss.net for help with any problems!
> ---------------------------------------------------------------------------
>
> Hi,
>
> I have found the information posted about trojan ports very informative and
> useful. I am trying to detect and remove any such existing trojan horse
> programs. But finding their hiding places to remove the trojan horse is very
> tedious.
>
> Wonder if anyone know of:
> (i) Any place where I can get my hands on a compiled listing of these
> trojan horse information, like the exe filenames, size, where they would
> hide, etc..
> (ii) Any IDS currently available or being developed with trojan horse
> detection mechanisms.
>
> Rgds ..... Fred
>
>
> -----Original Message-----
> From: Joakim von Braun <joakim.von.braunrisab.se>
> To: ntsecurityiss.net <ntsecurityiss.net>
> Cc: firewallslists.gnac.com <firewallslists.gnac.com>;
> PacketStormgenocide2600.com <PacketStormgenocide2600.com>;
> flashbackflashback.se <flashbackflashback.se>
> Date: 13 May 1999 02:44
> Subject: [NTSEC] Default trojan ports
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomoiss.net
> Contact ntsecurity-owneriss.net for help with any problems!
> ---------------------------------------------------------------------------
>
> After seeing several questions about traffic directed at ports as 31337 and
> 12345 I've put together a list of all trojans known to me and the default
> ports they are using. Of course several of them could use any port, but I
> hope this list will maybe give you a clue of what might be going on.
>
> port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,
> WinCrash
> port 23 - Tiny Telnet Server
> port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz
> Stealth, Terminator, WinPC, WinSpy
> port 31 - Hackers Paradise
> port 80 - Executor
> port 456 - Hackers Paradise
> port 555 - Ini-Killer, Phase Zero, Stealth Spy
> port 666 - Satanz Backdoor
> port 1001 - Silencer, WebEx
> port 1011 - Doly Trojan
> port 1170 - Psyber Stream Server, Voice
> port 1234 - Ultors Trojan
> port 1245 - VooDoo Doll
> port 1492 - FTP99CMP
> port 1600 - Shivka-Burka
> port 1807 - SpySender
> port 1981 - Shockrave
> port 1999 - BackDoor
> port 2001 - Trojan Cow
> port 2023 - Ripper
> port 2115 - Bugs
> port 2140 - Deep Throat, The Invasor
> port 2801 - Phineas Phucker
> port 3024 - WinCrash
> port 3129 - Masters Paradise
> port 3150 - Deep Throat, The Invasor
> port 3700 - Portal of Doom
> port 4092 - WinCrash
> port 4590 - ICQTrojan
> port 5000 - Sockets de Troie
> port 5001 - Sockets de Troie
> port 5321 - Firehotcker
> port 5400 - Blade Runner
> port 5401 - Blade Runner
> port 5402 - Blade Runner
> port 5569 - Robo-Hack
> port 5742 - WinCrash
> port 6670 - DeepThroat
> port 6771 - DeepThroat
> port 6969 - GateCrasher, Priority
> port 7000 - Remote Grab
> port 7300 - NetMonitor
> port 7301 - NetMonitor
> port 7306 - NetMonitor
> port 7307 - NetMonitor
> port 7308 - NetMonitor
> port 7789 - ICKiller
> port 9872 - Portal of Doom
> port 9873 - Portal of Doom
> port 9874 - Portal of Doom
> port 9875 - Portal of Doom
> port 9989 - iNi-Killer
> port 10067 - Portal of Doom
> port 10167 - Portal of Doom
> port 11000 - Senna Spy
> port 11223 - Progenic trojan
> port 12223 - Hack´99 KeyLogger
> port 12345 - GabanBus, NetBus
> port 12346 - GabanBus, NetBus
> port 12361 - Whack-a-mole
> port 12362 - Whack-a-mole
> port 16969 - Priority
> port 20001 - Millennium
> port 20034 - NetBus 2 Pro
> port 21544 - GirlFriend
> port 22222 - Prosiak
> port 23456 - Evil FTP, Ugly FTP
> port 26274 - Delta
> port 31337 - Back Orifice
> port 31338 - Back Orifice, DeepBO
> port 31339 - NetSpy DK
> port 31666 - BOWhack
> port 33333 - Prosiak
> port 34324 - BigGluck, TN
> port 40412 - The Spy
> port 40421 - Masters Paradise
> port 40422 - Masters Paradise
> port 40423 - Masters Paradise
> port 40426 - Masters Paradise
> port 47262 - Delta
> port 50505 - Sockets de Troie
> port 50766 - Fore
> port 53001 - Remote Windows Shutdown
> port 61466 - Telecommando
> port 65000 - Devil
>
> You'll find the list on the following address:
> http://www.simovits.com/nyheter9902.html (still in Swedish but it will be
> translated in the near future).
>
> To help anyone to detect trojan attacks, I´m planning to add information
> about the original names of the executables, their size, where they usually
> are hiding, and the names of any helpfiles they may use. I will also add
> tools or links to tools that may be of your assistance.
>
> Feel free to get back to me with any comments or suggestions. If you find
> new trojans I´ll love to get my hands on them, but please mail me first, as
> I don´t need more than one copy. If you have live experiance of trojan
> attacks I´m interested to read about your findings.
>
> Joakim
>
> joakim.von.braunrisab.se
>
This archive was generated by hypermail 2.0b3
on Fri Aug 27 1999 - 00:48:24 CDT
