[Snort-users] Port 10008/tcp ?

Jason Lewis jlewis at ...1831...
Tue May 15 21:54:19 EDT 2001


This is from the Incidents list at Securityfocus.com

On Tue, 15 May 2001, Joerg Weber wrote:

> my FW-Logs went insane last night with gazillions of connection attempts
to
> port 10008.
> FW-1 does unfortunately not log dropped packets, so I've no idea about
flags
> et al, but the scan looks like this:
> SourcePort = Increases with each scan
> DestPort   = 10008

I got some scans on port 10008 as well.  The really odd thing is this.  If
you port scan them back, you'll find that on some high TCP port, if you
connect and send a few newlines, it'll reply with a uuencoded cheese.tgz
file.  I took a very brief look at the contents of cheese.tgz.  The
comments say it's a cleaner, written to remove root shells from
inetd.conf.  There's alot more than that in the code though.  Looks like a
trojan that's really a scanner.

Jason Lewis
http://www.packetnexus.com
"All you can do is manage the risks. There is no security."




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bunter,
Matthew
Sent: Tuesday, May 15, 2001 12:26 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Port 10008/tcp ?


Just in case you did a typo (not accusing you or anything)
10007 is for mvs capacity and 10080 is for something called amanda
Nothing for 10007

Matt

> -----Original Message-----
> From:	Tudor Panaitescu [SMTP:tpanaitescu at ...2032...]
> Sent:	15 May 2001 16:46
> To:	snort-users at lists.sourceforge.net
> Subject:	[Snort-users] Port 10008/tcp ?
>
> Hello everyone !
>
> Does anybody know what is this port, 10008/tcp for ?
>
> I've got some attempts, allways 2 at a time from the same source address.
>
> TIA,
> Tudor
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.

**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list