Re: new exploit - ping/137/27374 ?

To: Daniel Stone <daniel@sfarc.net>
Cc: JonesMB <jonesmb@arthem.com>, debian-firewall@lists.debian.org
Subject: Re: new exploit - ping/137/27374 ?
From: "Ken Seefried" <ken@seefried.com>
Date: Sat, 30 Jun 2001 15:21:00 GMT
Message-id: <20010630152100.20067.qmail@mail.seefried.com>
In-reply-to: <20010630113425.A14656@sfarc.net>
References: <006501c0ffda$68b32c20$0600a8c0@logisys.ht> <20010628134230.A12491@dmcom.net> <3.0.6.32.20010629143019.00b29c00@arthem.com> <20010630113425.A14656@sfarc.net>

Daniel Stone writes:

On Fri, Jun 29, 2001 at 02:30:19PM -0500, JonesMB wrote:
is there a new exploit script that starts with a ping, followed by attempts
at connecting to port 137, followed by 27374.  I have seen a big increase
in this in my ipchains logs this week.
It's probably some l33t script kiddie tool that checks for both attacks.

Hmm...maybe, maybe not. I wonder if it is a new trojan. A long time ago Iwrote (for admin purposes, not hacking) a program that listened for aparticular set of ping packets which started it listening on a particularport. A connect attempt to that particular port spawned an xterm back to mymachine. Hard to find in a port scan and accedentally trigger. I wonder ifsomeone might have done something similar.Ken Seefried, CISSP

Reply to:

References:
- ipchains logging to console
  - From: "Philippe Clérié" <debian@gcal.net>
- Re: ipchains logging to console
  - From: Wayne Topa <wtopa@dmcom.net>
- new exploit - ping/137/27374 ?
  - From: JonesMB <jonesmb@arthem.com>
- Re: new exploit - ping/137/27374 ?
  - From: Daniel Stone <daniel@sfarc.net>

Prev by Date: simple router
Next by Date: Re: simple router
Previous by thread: Re: new exploit - ping/137/27374 ?
Next by thread: Re: new exploit - ping/137/27374 ?
Index(es):
- Date
- Thread