From owner-freebsd-security Mon Nov 8 11:46:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 1F251152B2 for ; Mon, 8 Nov 1999 11:46:21 -0800 (PST) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.0) with SMTP id GAA14665; Tue, 9 Nov 1999 06:45:55 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 9 Nov 1999 06:45:55 +1100 (EST) From: Ian Smith Reply-To: Ian Smith To: David G Andersen Cc: ewayte@pegasus.cc.ucf.edu, security@FreeBSD.ORG Subject: Re: Port 1243 scans In-Reply-To: <199911081818.LAA09387@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 8 Nov 1999, David G Andersen wrote: > Right. What you want instead is: > > Well-known port numbers for trojan horse programs: > > http://www.sans.org/newlook/resources/IDFAQ/oddports.htm > > Unfortunately, 1243 doesn't appear to be used by anything in this list, > either. Which is still useful information in and of itself. :) It's > probably someone's customized thing, or an obscure program. Had a look at that, thankyou David. Also had some email pointing to: http://www.robertgraham.com/pubs/firewall-seen.html which seems to contain a wealth of material on various port attacks: 1243 Sub-7 Trojan Horse (TCP). This is a commonly seen scan looking for systems compromised by this trojan. Sub-Seven scans are becoming very frequent, primarily due to an easy-to-use scanner built-in to the client. Thanks to all who helped. Now to find out who, how, and whether .. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message