OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Loki (lokifatelabs.com)
Date: Sun Nov 04 2001 - 22:00:01 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Then let me provide a rebuttal rant. I don't see any issue with his
    question. What if perhaps one of us on this list recognizes those ports as
    being an unreleased trojan that has not hit Bugtraq? I see no issues with
    him raising his question to this list. Instead, let me ask you this. Should
    we promote the public reprimand of an individual for what he believes to be
    a valid question that others might see, forcing them into hiding where
    further questions might have been posed? Do you want to claim the
    responsibility of being the one to send them into hiding?

    In my world, there are no such thing as stupid questions in this industry. I
    remind you that this industry itself is quite young. Therefore we are all
    learning as we go. I think a more appropriate response would have been just
    your suggestions to use the sniffer and try locally connecting to those
    listening ports. I do remind you, egos in this industry are the largest
    cause of people not learning more than they already know. I also remind you
    that they cause others to be afraid to ask what could have been, questions
    that benefit others.

    If we are not a part of the solution, we are part of the problem.

    =====================================================
    Loki
    Founder/Chief Research Scientist
    Fate Research Labs
    United States VPN Division
    [e] lokifatelabs.com
    [w] www.fatelabs.com
    -----------------------------------------------------
    "You know how you have that dent above your upper
     lip? Well at the beginning of time I told you a
     secret and put my finger there and said, shhh"

                                - Fate Research Labs
                                  Long Live Our Reign
    =====================================================

    -----Original Message-----
    From: Stephen [mailto:sa7oritasam.com]
    Sent: Sunday, November 04, 2001 9:39 PM
    To: incidentssecurityfocus.com
    Subject: Re: Firewall hits/unknown ports

    <RANT>
    I dont want to sound like a pompous arse, but I think we should be
    careful with asking questions like this. In the tradition of making
    oversimilified and romantic analogies to the biological world, the
    internet, and the world's public networks are like forrests. There is a
    certain degree of chaos and a certain degree of natural order to their
    basic operation. the chaos factor comes from the human interaction with
    teh technology.
    </RANT>

    Trojans, and backdoors are equally as unpredictable. you
    can with one line (in inetd) append a line binding a shell to ANY port.
    You can write ANY number of programs or scripts to do the same on
    unprivileged ports without root. from the network stuff like that is even
    less predicatable because of the plethora of client connection initiation
    done BEHIND the firewall. some innocuous client software could use the
    higher port numbers for nonpassive communication or something. it could be
    anything. have you tried to connect to the host targeted on that port?
    throwing shell commands at it? if you have console access to teh machine,
    look at all process, if there is a live connection, sniff it. the
    wilderness of our networks can be incredibly dynamic, we have to cope with
    this, and be innovative and dilligent in our conquest to grok the vast
    expanse of information. do your part to contribute to the
    "bodiless exhultation that is the matrix". heh. oi. BRAAAAAAZIILLLLLLLL!.

    On Sun, 4 Nov 2001 bonkwebchat.chatsystems.com
    wrote:

    >
    >
    > Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
    > Snort.org doesn't list these.
    >
    >
    >
    >
    >
    > 80 24.23.170.219 http Nov 4 03:56:14
    > 80 24.23.19.114 http Nov 4 03:13:24
    > 80 24.23.170.219 http Nov 4 02:57:32
    > 80 24.23.170.219 http Nov 4 02:57:29
    > 80 24.23.170.219 http Nov 4 02:44:27
    > 80 24.23.170.219 http Nov 4 02:08:54
    > 80 24.23.170.219 http Nov 4 02:08:51
    > 80 24.100.151.92 http Nov 4 02:01:11
    > 80 24.100.151.92 http Nov 4 02:01:08
    > 80 24.214.18.131 http Nov 4 00:57:24
    > 80 67.164.189.42 http Nov 4 00:16:15
    > 25 67.164.189.42 smtp Nov 4 00:16:14
    > 110 67.164.189.42 pop3 Nov 4 00:16:14
    > 21 67.164.189.42 ftp Nov 4 00:16:13
    > 7 67.164.189.42 echo Nov 4 00:16:13
    > 53 67.164.189.42 domain Nov 4 00:16:09
    > 22634 24.254.60.19 unknown Nov 3 23:49:26
    > 22634 24.254.60.19 unknown Nov 3 23:48:26
    > 22634 24.254.60.19 unknown Nov 3 23:47:26
    > 22634 24.254.60.19 unknown Nov 3 23:46:26
    > 22634 24.254.60.19 unknown Nov 3 23:45:26
    > 22634 24.254.60.19 unknown Nov 3 23:44:26
    > 22634 24.254.60.19 unknown Nov 3 23:43:26
    > 22634 24.254.60.19 unknown Nov 3 23:42:26
    > 22634 24.254.60.19 unknown Nov 3 23:41:53
    > 22634 24.254.60.19 unknown Nov 3 23:41:36
    > 22634 24.254.60.19 unknown Nov 3 23:41:28
    > 80 24.23.170.219 http Nov 3 23:39:37
    > 80 24.51.8.166 http Nov 3 22:57:26
    > 80 24.51.8.166 http Nov 3 22:57:23
    > 80 24.23.170.219 http Nov 3 22:47:18
    > 80 24.23.170.219 http Nov 3 22:47:15
    > 21 80.11.127.241 ftp Nov 3 22:39:47
    > 21 80.11.127.241 ftp Nov 3 22:39:41
    > 80 24.23.19.114 http Nov 3 22:29:26
    > 80 24.23.19.114 http Nov 3 22:29:23
    > 80 24.23.170.219 http Nov 3 22:13:45
    > 80 24.23.170.219 http Nov 3 22:01:43
    > 80 24.23.170.219 http Nov 3 22:01:40
    > 80 24.23.19.114 http Nov 3 21:30:41
    > 80 24.23.19.114 http Nov 3 21:30:38
    > 27374 24.19.71.108 Sub7 Nov 3 21:18:13
    > 27374 24.19.71.108 Sub7 Nov 3 21:18:01
    > 27374 24.19.71.108 Sub7 Nov 3 21:17:55
    > 27374 24.19.71.108 Sub7 Nov 3 21:17:52
    > 80 24.23.19.114 http Nov 3 20:44:14
    > 80 24.23.19.114 http Nov 3 20:44:11
    > 80 24.23.19.114 http Nov 3 20:34:55
    > 80 24.23.19.114 http Nov 3 20:34:52
    > 80 24.23.19.114 http Nov 3 20:18:01
    > 80 24.23.19.114 http Nov 3 20:17:58
    > 80 24.23.170.219 http Nov 3 20:17:05
    > 80 24.23.170.219 http Nov 3 20:10:24
    > 80 24.23.170.219 http Nov 3 20:10:22
    > 34554 24.254.60.39 unknown Nov 3 20:01:40
    > 80 24.23.170.219 http Nov 3 20:01:04
    > 80 24.23.170.219 http Nov 3 20:01:02
    > 34554 24.254.60.39 unknown Nov 3 20:00:40
    > 34554 24.254.60.39 unknown Nov 3 19:59:40
    > 34554 24.254.60.39 unknown Nov 3 19:58:40
    > 34554 24.254.60.39 unknown Nov 3 19:57:40
    > 34554 24.254.60.39 unknown Nov 3 19:56:40
    > 34554 24.254.60.39 unknown Nov 3 19:55:40
    > 34554 24.254.60.39 unknown Nov 3 19:55:02
    > 34554 24.254.60.39 unknown Nov 3 19:54:43
    > 34554 24.254.60.39 unknown Nov 3 19:54:33
    > 53 202.138.113.150 domain Nov 3 19:54:12
    > 53 202.138.113.150 domain Nov 3 19:54:06
    > 53 202.138.113.150 domain Nov 3 19:54:03
    > 27374 24.156.37.3 Sub7 Nov 3 19:42:12
    > 27374 24.156.37.3 Sub7 Nov 3 19:42:06
    > 27374 24.156.37.3 Sub7 Nov 3 19:42:02
    > 80 24.23.19.114 http Nov 3 19:23:08
    > 80 24.23.19.114 http Nov 3 19:23:05
    > 111 211.112.143.2 sunrpc Nov 3 19:22:33
    > 80 24.23.19.114 http Nov 3 19:21:11
    > 80 24.23.19.114 http Nov 3 19:21:07
    > 80 24.23.19.114 http Nov 3 19:11:52
    > 80 24.23.19.114 http Nov 3 19:11:49
    > 80 24.16.82.182 http Nov 3 16:25:40
    > 80 24.16.82.182 http Nov 3 16:25:37
    > 80 24.12.210.113 http Nov 3 15:50:57
    > 80 24.12.210.113 http Nov 3 15:50:54
    > 29319 24.254.60.33 unknown Nov 3 10:13:09
    > 29319 24.254.60.33 unknown Nov 3 10:12:09
    > 29319 24.254.60.33 unknown Nov 3 10:11:09
    > 29319 24.254.60.33 unknown Nov 3 10:10:09
    > 29319 24.254.60.33 unknown Nov 3 10:09:09
    > 29319 24.254.60.33 unknown Nov 3 10:08:09
    > 29319 24.254.60.33 unknown Nov 3 10:07:09
    > 29319 24.254.60.33 unknown Nov 3 10:06:33
    > 29319 24.254.60.33 unknown Nov 3 10:06:15
    > 29319 24.254.60.33 unknown Nov 3 10:06:06
    > 80 213.96.11.21 http Nov 3 09:52:33
    > 515 157.238.46.30 printer Nov 3 08:15:20
    > 515 157.238.46.30 printer Nov 3 08:15:17
    > 111 211.100.18.45 sunrpc Nov 3 07:54:16
    > 111 211.100.18.45 sunrpc Nov 3 07:54:13
    > 80 24.234.87.155 http Nov 3 06:15:40
    > 80 24.234.87.155 http Nov 3 06:15:37
    >
    >
    >
    >
    > Bonk
    > Bonkcyberabuse.org
    >
    >
    > ================================================
    >
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com