Date: Wed, 12 Aug 1998 02:09:02 GMT From: mike@sentex.net (Mike Tancsa) To: bmah@CA.Sandia.GOV Cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 Message-ID: <35d0f921.13102350@mail.sentex.net> In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov> References: <199808120110.SAA14483@stennis.ca.sandia.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Aug 1998 18:10:00 -0700, in sentex.lists.freebsd.misc you wrote: >--==_Exmh_-1520316248P >Content-Type: text/plain; charset=us-ascii > >A marginally off-topic question: Can anyone tell me what service uses UDP >port 31337? I have a FreeBSD box that has received and logged three packets >on this port in the last 24 hours: > >Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >from AA.BB.CC.DD:1190 > >Give prior experience on the target machine, I wouldn't be surprised if it's >part of a portscan, but I don't know what such a scan would be probing for. >--==_Exmh_-1520316248P >Content-Type: text/plain; charset=us-ascii > >A marginally off-topic question: Can anyone tell me what service uses UDP >port 31337? I have a FreeBSD box that has received and logged three packets >on this port in the last 24 hours: > >Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >from AA.BB.CC.DD:1190 > >Give prior experience on the target machine, I wouldn't be surprised if it's >part of a portscan, but I don't know what such a scan would be probing for. There is a 'neato' trojan program called 'Cult of the Dead Cow Back Orifice Backdoor' (no, I am not joking)... Out of curiosity, I added the rule log udp from any to any 31337 in recv fxp0 and whamo... My dialups are getting scanned big time every day for the past few days... Basically, I see patterns like Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.215:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.216:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.217:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP Where the luser in this case at 209.47.158.17 is looking for people with infected machines. Here is one reference to it http://www.security.mci.net Synopsis: A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed this backdoor allows unauthorized users to execute privileged operations on the affected machine. Back Orifice leaves evidence of its existence and can be detected and removed. The communications protocol and encryption used by this backdoor has been broken by ISS X-Force. Description: A backdoor is a program that is designed to hide itself inside a target host in order to allow the installing user access to the system at a later time without using normal authorization or vulnerability exploitation. Functionality: The BO program is a backdoor designed for Windows 95/98. Once installed it allows anyone who knows the listening port number and BO password to remotely control the host. Intruders access the BO server using either a text or graphics based client. The server allows intruders to execute commands, list files, start silent services, share directories, upload and download files, manipulate the registry, kill processes, list processes, as well as other options. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35d0f921.13102350>