On Sun, 04 Nov 2001 21:28:29 CST, Glenn Forbes Fleming Larratt <glrattrice.edu> said:
> You might look at (and provide) what they're using for a "source" port -
> I've seen numerous "reverse http" and "reverse telnet" scans, where
> a source port of 80 or 23 is used. Such a approach could fool
> a stateless firewall or IDS.
> On Sun, 4 Nov 2001 bonkwebchat.chatsystems.com wrote:
> > Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
> > 22634 24.254.60.19 unknown Nov 3 23:49:26

Equally to the point - I may have blinked, but I didn't see ruled out
that 24.254.60.19 isn't running a http/smtp/ftp/whatever server
unbeknownst to the firewall admin. So 22634 may be a totally
reasonable ephemeral port picked at the client end for a connection to
a web server running on the box, triggering an IDS.

And remember that there's at least one instant messaging client that
provides a baby web server onboard....

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]