[Snort-users] Portscan - Port 31790

Max Vision vision at ...4...
Thu Sep 7 18:15:39 EDT 2000


These are known-default ports for the "Hack'a'Tack" trojan.  Since these
are stateless packets it is difficult to tell whether these represent a
simple probe, or actual full-blown compromise of your host.

Another common version of this trojan is in the arachNIDS database:
IDS289/trojan-active-hack-a-tack-2000  ( http://whitehats/com/IDS/289 )

Could you please forward any packet traces of this activity?  If not,
don't worry I'll get to it shortly and add a signature for the activity.

Max Vision
http://whitehats.com/

On Thu, 7 Sep 2000, Bob Van Cleef wrote:
> 
> What is special about Port 31790?
> 
> >From the portscan logs...
> 
> Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.4:31789 UDP  
> Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.9:31789 UDP  
> Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.23:31789 UDP  
> Sep  6 04:54:16 163.121.86.13:31790 -> 192.86.6.95:31789 UDP  
> Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.4:31789 UDP  
> Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.2:31789 UDP  
> Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.9:31789 UDP  
> Sep  6 04:56:56 163.121.86.13:31790 -> 192.86.6.95:31789 UDP
> 
> Bob




More information about the Snort-users mailing list