From owner-freebsd-security  Tue Aug 11 22:52:14 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA23741
          for freebsd-security-outgoing; Tue, 11 Aug 1998 22:52:14 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23736
          for <freebsd-security@FreeBSD.ORG>; Tue, 11 Aug 1998 22:52:10 -0700 (PDT)
          (envelope-from ncb05@banshee.cs.uow.edu.au)
Received: (from ncb05@localhost)
	by banshee.cs.uow.edu.au (8.9.1/8.9.1) id PAA28613;
	Wed, 12 Aug 1998 15:51:31 +1000 (EST)
Date: Wed, 12 Aug 1998 15:51:31 +1000 (EST)
From: Nicholas Charles Brawn <ncb05@uow.edu.au>
X-Sender: ncb05@banshee.cs.uow.edu.au
To: "Bruce A. Mah" <bmah@CA.Sandia.GOV>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: UDP port 31337
In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov>
Message-ID: <Pine.SOL.4.02.9808121547450.26414-100000@banshee.cs.uow.edu.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 11 Aug 1998, Bruce A. Mah wrote:

> A marginally off-topic question:  Can anyone tell me what service uses UDP 
> port 31337?  I have a FreeBSD box that has received and logged three packets 
> on this port in the last 24 hours:
> 
> Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 
> >from AA.BB.CC.DD:1190
> 
> Give prior experience on the target machine, I wouldn't be surprised if it's 
> part of a portscan, but I don't know what such a scan would be probing for.
> 
> Thanks in advance,
> 
> Bruce.
> 

I'm guessing that it's a scan to see whether anyone has installed BO
(Back Orifice) on machines in your subnet. By default the port this program 
listens on is UDP port 31337.

However, if you aren't already aware, Back Orifice only affects Windows 95
and 98 machines, with an NT version in the works.

There has been some discussion on Bugtraq and other security forums
about detecting an installation of BO on your 95/98 networks, have a
look in the relevant archives.

Nick

--
Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick 
Key fingerprint =  DE 30 33 D3 16 91 C8 8D  A7 F8 70 03 B7 77 1A 2A
"When in doubt, ask someone wiser than yourself..." -unknown


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message