From owner-freebsd-security  Tue Jul 25 20:15:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7])
	by hub.freebsd.org (Postfix) with ESMTP id 5BD2737B636
	for <security@FreeBSD.ORG>; Tue, 25 Jul 2000 20:15:30 -0700 (PDT)
	(envelope-from kurt@pinboard.com)
Received: (from uucp@localhost)
	by mail.pinboard.com (8.9.3/8.9.3/20000102-00-KK) with UUCP id FAA15223;
	Wed, 26 Jul 2000 05:15:27 +0200 (CEST)
	(envelope-from kurt@badger.pbdhome.pinboard.com (kurt@badger.pbdhome.pinboard.com))
	(client-IP )
Received: from badger.pbdhome.pinboard.com (badger.pbdhome.pinboard.com [192.168.0.6])
	by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with ESMTP id WAA00713;
	Tue, 25 Jul 2000 22:19:13 +0200 (CEST)
	(envelope-from: kurt@badger.pbdhome.pinboard.com)
Received: (from kurt@localhost)
	by badger.pbdhome.pinboard.com (8.9.3/8.9.3-bader.tmp-KK) id WAA00368;
	Tue, 25 Jul 2000 22:18:44 +0200 (CEST)
	(envelope-from kurt)
Date: Tue, 25 Jul 2000 22:18:44 +0200
From: kurt@pinboard.com
To: Stephen Hocking <shocking@houston.rr.com>
Cc: security@FreeBSD.ORG
Subject: Re: Script kiddies and their port scans
Message-ID: <20000725221843.A328@pinboard.com>
References: <200007242314.SAA01912@bloop.craftncomp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <200007242314.SAA01912@bloop.craftncomp.com>; from shocking@houston.rr.com on Mon, Jul 24, 2000 at 06:14:09PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jul 24, 2000 at 06:14:09PM -0500, Stephen Hocking wrote:
> Checking the firewall logs I see various attempts to connect to rather unusual 
> ports on my box - does anyone now what the following are?
> 27374
SubSeven v2.1 (windows trojan)

> 1243
SubSeven (windows trojan)

> 98 - This comes up as TACNEWS in /etc/services
linuxconf (linux configuration via web - sometimes on by
           default without the admins knowing about it)

> 143 imap2
imap4 (mail server, some versions with known buffer overflows)

info about SubSeven:
  http://www.sans.org/newlook/resources/IDFAQ/subseven.htm

useful URL's:
  http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
  http://www.sans.org/y2k/ports.htm
  http://www.simovits.com/nyheter9902.html
  (I have some more, but only at the office. However, above
   is still better than nothing.)
  
-- 
----------------------------------------------------------------------
: Kurt@pinboard.com          http://www.pinboard.com/       business :
:                            http://kurt.www.pinboard.com/  private  :
----------------------------------------------------------------------
:                    Unix and Internet Specialist                    :
----------------------------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message