From owner-freebsd-security  Tue Oct  3  7:17:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fyre.somcol.co.za (fyre.somcol.co.za [196.30.167.130])
	by hub.freebsd.org (Postfix) with ESMTP id E88B537B502
	for <security@freebsd.org>; Tue,  3 Oct 2000 07:17:24 -0700 (PDT)
Received: from localhost (jus@localhost)
	by fyre.somcol.co.za (8.9.3/8.9.3) with ESMTP id QAA73981;
	Tue, 3 Oct 2000 16:17:04 +0200 (SAST)
	(envelope-from jus@security.za.net)
X-Authentication-Warning: fyre.somcol.co.za: jus owned process doing -bs
Date: Tue, 3 Oct 2000 16:17:04 +0200 (SAST)
From: Justin Stanford <jus@security.za.net>
X-Sender: jus@fyre.somcol.co.za
To: Michael Williams <mgwilliams@newsouth.com>
Cc: Stephen Hocking <shocking@houston.rr.com>, security@freebsd.org
Subject: Re: Script kiddies and port 12345
In-Reply-To: <Pine.GSO.4.21.0010031007400.15231-100000@nexus.newsouth.net>
Message-ID: <Pine.BSF.4.21.0010031616210.71067-100000@fyre.somcol.co.za>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

More than likely they are just looking for open shares on the SMB port
(139) and netbus servers on port 12345 - this is more within the reach and
ability of the average kiddie and is as common and occurence as dried
fruit :-)

Regards,
jus

On Tue, 3 Oct 2000, Michael Williams wrote:

> 
> On Tue, 3 Oct 2000, Stephen Hocking wrote:
> 
> > After a couple of weeks of probing 139, the little darlings are now hammering 
> > on 12345 - anybody have an idea of what hole this is? Another backdoor?
> 
> Well, if they're probing 139 and 12345, I would assume they're looking for
> NT machines that have Server Management System installed on 'em (or an old
> version of NetBus, since that's what a couple of scanners I've used have
> defaulted to for a description of port 12345).  SMS is a remote
> administration tool for NT machines; I don't know of any specific
> vulnerabilities in the current version, but I would love to be corrected
> if I'm wrong.
> 
> Regards,
> Michael Williams
> NewSouth Communications -- IP Security Team
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message