-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See the problem with saying this is this or that based on static port assignment is that it makes a huge assumption; it assumes that either the attacker is using a program that does not allow him to change the port or if he is using one he decided not to change the port. You should not make an assumption or underestimate the situation. So when people write to the list I always, and I think most professionals will agree with me on this, tell them they have to identify and investigate what process is bound to the port. It is always nice to do a little investigation and see what port is registered or if a Trojan port is listed in a database but in the end you have to identify both the process and related dll's and hopefully sniff some traffic to or from it. Hope that clears up for a lot of people (seem like a lot of people get confused on this point; ie getting bogged down in this port or that).
Regards, Leon - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 24, 2001 5:22 AM To: 'Richard Feaver'; [EMAIL PROTECTED] Cc: leon Subject: RE: WIN2K Ports 32000 & 32001 Open ? http://www.simovits.com/trojans/tr_data/y358.html "leon" <[EMAIL PROTECTED] To: "'Richard Feaver'" > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> 11/23/2001 cc: 09:53 PM Subject: RE: WIN2K Ports 32000 & 32001 Open ? - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why don't you get f-port or vision from foundstone.com and track down the process that is bound to the port? Regards, Leon - - -----Original Message----- From: Richard Feaver [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 5:38 AM To: [EMAIL PROTECTED] Subject: WIN2K Ports 32000 & 32001 Open ? Greets all, recently checking one of our Win2k boxes i found ports 32000 and 32001 open and listening for connections. checking google i failed to find much concerning port 32000 but i did find a trojan called "Donald Dick" which apparently runs on port 32001. Ive checked official application port listings and those port numbers are not registered so i can only assume its a trojan of some sort. Has anyone else had any experiance with these port numbers or coudl offer any more advice as to track down exactly what it is and how i could go about curing the problem. I tried a reboot aswell but they were still open on re-startup. thank you, rich - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO/6pSdqAgf0xoaEuEQIeDACfct/JtOM6E2A0RxD52g7Ysq1m9KMAn374 w2dambja8M8xsBEfmsoqClhE =8Zpl - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO//ZY9qAgf0xoaEuEQLtqgCgy4e10y561RINmNFDiCITtetciF8AoIZz d9GG5W34xi/Er6TVKQF3g+gP =HPp1 -----END PGP SIGNATURE-----
