[Snort-users] Portscan - Port 31790

Bob Van Cleef vancleef at ...211...
Fri Sep 8 12:54:01 EDT 2000


On Thu, 7 Sep 2000, Max Vision wrote:

> These are known-default ports for the "Hack'a'Tack" trojan.  Since these
> are stateless packets it is difficult to tell whether these represent a
> simple probe, or actual full-blown compromise of your host.

The host 163.121.86.13 is not one of ours.  We are the ones on the 
receiving end 192.86.6.*   I will attempt to contact their adminstrators.

> Another common version of this trojan is in the arachNIDS database:
> IDS289/trojan-active-hack-a-tack-2000  ( http://whitehats/com/IDS/289 )
> 
> Could you please forward any packet traces of this activity?  If not,
> don't worry I'll get to it shortly and add a signature for the activity.

Unfortunately, nothing was captured other than the entries in the portscan
logs...

Running snort as:
 /usr/local/bin/snort -d -c /usr/local/lib/snort/vision.conf -i eth0 

> 
> Max Vision
> http://whitehats.com/
> 
> On Thu, 7 Sep 2000, Bob Van Cleef wrote:
> > 
> > What is special about Port 31790?
> > 
> > >From the portscan logs...
> > 
> > Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.4:31789 UDP  
> > Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.9:31789 UDP  
> > Sep  6 04:54:15 163.121.86.13:31790 -> 192.86.6.23:31789 UDP  
> > Sep  6 04:54:16 163.121.86.13:31790 -> 192.86.6.95:31789 UDP  
> > Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.4:31789 UDP  
> > Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.2:31789 UDP  
> > Sep  6 04:56:55 163.121.86.13:31790 -> 192.86.6.9:31789 UDP  
> > Sep  6 04:56:56 163.121.86.13:31790 -> 192.86.6.95:31789 UDP
> > 
> > Bob
> 

-- 
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...





More information about the Snort-users mailing list