Date: Fri, 12 Feb 1999 13:45:20 +1100 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@FreeBSD.ORG Subject: Re: Someone sent me a security notice Message-ID: <Pine.BSF.4.01.9902121331350.27675-100000@velvet.sensation.net.au> In-Reply-To: <199902120141.SAA19923@pcslink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 Feb 1999, Ryan Mooney wrote: > > Likely someone from your site did a traceroute (which uses UDP to port > 31337 or thereabouts depending on the version) to this uninformed and > paranoid individual. They saw the error in thier logs and not > understanding it did the obvious reverse things (ARIN whois, nslookup/whois,, > etc..) to find out who might own the originating PC. Apparently this is > you (or else you would've trashed it :). The thing to do is send them a > kind and considerate note explaining that traceroute is not a hack attempt > it is simpley a standard diagnostic tool, and if they send a nasty gram > to everyone who ever traceroutes to thier network they will be busy boys > indeed. You then delete the e-mail and go have a beer :) ! I'm more than a little surprised at seeing a couple of responses so far that don't seem to be aware of what the significance of port 31337 is. Back Orifice is a form of virus/trojan that allows one to control any computer 'infected' with it remotely, via TCP/UDP/IP. It can simply be annoying, like the victim's CD tray opening and closing without apparent provocation, or it can be serious, like obtaining the victim's credit card details (I know of someone who this happened to, and the offender used her credit card before she was able to cancel it. The police were notified but there was little they could do.) I have UDP port 31337 blocked here (and also Netbus which is a similar nasty, TCP ports 12340-12345) and see either isolated probes to a single IP (probably gathered from IRC or ICQ) or scans of my entire IP block almost daily. Here's my port 31337 blocks for the last 50 days (ipfw -a l|grep 31337): 00205 2409 112594 deny log udp from any to 203.20.114.0/24 31337 in 00205 64 2944 deny log udp from any to 203.36.150.64/26 31337 in 00205 6 282 deny log udp from any to 203.55.253.0/24 31337 in It's highly likely that the person sending the original complaint was not being paranoid at all. http://www.cultdeadcow.com/tools/ contains some information about BO from the people who created it. BTW, according to the man page, traceroute uses ports starting at 33434, which is well above the "eleet" port of 31337. Cheers. -- Rowan Crowe Sensation Internet Services, Melbourne Aust fidonet: 3:635/728 +61-3-9388-9260 http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9902121331350.27675-100000>