Hey Jeff,
Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port that
the "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k aka
DeepBO (this is a special release of BO btw).
It appears the attacker may be doing one of two things:
a/ He/she has somehow manipulated Kazaa to scan not for other Kazaa users on
port 1214, but to scan for BO infected machines on port 31336.
The other possibility is simple - theyve written a scanner or customised the
settings of a current scanner to have the local scanning port on port 1214
to make it look like its Kazaa doing it automatically, however they are
actively portscanning either your network I wasnt sure if it was a network
you had) or just your lone box.
This is just a suggestion, but the best one I could come up with :)
To check the validity of my theory, if it is a box with Kazaa operating on
it it should have port 80 open if i recall, showing all shared files within
the Kazaa program - they may have patched this in the later versions that
have been released lately of course :)
Hope this helps you

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

>From: Jeff Kell <jeff-kellutc.edu>
>To: Incidents List <incidentssecurityfocus.com>
>Subject: Strange back-orifice looking scan...
>Date: Wed, 04 Sep 2002 12:08:48 -0400
>
>This popped up on ingress this morning, apparently with forged source
>addresses (given the timing). Didn't get a packet capture but just
>the signature (we block Back Orifice ports):
>
>Sep 4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet
>Sep 4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp
>146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet
>
>Any clues on this one? Looks new to me...
>
>Jeff

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]