Is this something we should be aware of?

[Snarkridden]

Over the last few weeks, I have become aware of a considerable increase of firewall hits for port 17300, maybe 10 per hour or so.

Tracking a few back reveals no specific common site, but one was registered to "UA" "universal" which to me sounds like one of the video or film companies.

My suspicions are aroused, because of this common port, it bares resemblence to previous "Worm" attacks where a trojan is waiting for a trigger on a specific port this triojan having been loaded during site browsing or downloading dodgy files.

Could it be the certain parties are trying new tricks, to get evidence? anyone else notice similarities in their log files?

Zone alarm just report it as blocked and of medium risk !!

Snark.

[goldie]

lo there


Becareful Snark......

[napho]

Since alot of trojans seem to use this port there are scanners that people use to find infected machines. I don't know exactly what they do when they find them but if you're not infected then I guess those hits won't do much.
You should check out one of those Peer Guardian type sites. They seem to make a life's work out of these kinds of things.

[AweShucks]

If you have a static IP it is actually very common for "known trojan ports" to get alot of hits especially when on any p2p network.
At one time I got so many hits I simply turned off the prompts and locked everything down as tight as I could.

depending on how paranoid you are
you can create rules that block all know trojan ports which takes some time. But there are a few groups out there like Napho said that make a lifes work out of these things. Often times you can download/view actual rule sets for your firewall to simplify the process.

Disable simply things like ping commands etc with your firewall that you may not need and easily give you away.

Buy hardware protection if you don't already..... a router is a good simple and inexpensive firewall that is very effective against random scans etc.

Remembering the whole time that nothing is secure if someone really wants in they will probably get in.

[JackSpratts]

hi snark,

the only thing i've heard of lately is the msn Jitux.A worm and it's not causing much damage, mainly because it isn't affecting many machines.

- js.

[petriburg]

HI Snark! Another thing you could do is check on your own system's security - go to www.grc.com for a free checkup - it doesn't take long, and will give you greater peace of mind

[ONEMANBANNED]

GRC Port Authority Report created on UTC: 2004-01-06 at 05:45:58

Results from scan of ports: 0-1055

0 Ports Open
1 Ports Closed
1055 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

The port found to be CLOSED was: 113

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.



This is good no?






This is bad yes? -> Port Authority Database

Port 1337

Name:
menandmice-dns

Purpose:
menandmice DNS

Description:


Related Ports:





Background and Additional Information:


Trojan Sightings: Shadyshell

[multi]

http://www.stumbleupon.com/url/www.m...ted_links.html
http://www.menandmice.com/DNS-training/

if its to do with that place (wich it looks like)
it dont appear to be anything to worry too much about
that i can see..
they seem to do alot of stuff with DNS

maybe you had a certain program running when you did that test?

[AweShucks]

Quote:

Originally posted by ONEMANBANNED

NO PORTS were found to be OPEN.

The port found to be CLOSED was: 113

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.



This is good no?

No ports open is good true stealth is the best...... port 113 is often the hardest to stealth surprisingly it is rarely needed. If you are behind a router you can simply forward that port to a IP that doesn't exist like 192.168.1.212 or something. and then the port will stealth and you will 99% most likely not have any adverse effects while browsing the web. Some firewalls have a difficult time handling port 113 read more here http://grc.com/port_113.htm
Unless you use PING I would atleast suggest blocking the outgoing reply from your machine.

Here's mine GRC Port Authority Report created on UTC: 2004-01-06 at 12:35:52

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.


Scans like GRC are good to a point but almost all scans only scan the most common ports. Mainly because it would just consume too much bandwidth and take to long to hit all 60,000+ ports. Sygate offers a Trojan port scan and a few others to check a few more port ranges http://scan.sygatetech.com/

[Drakonix]

My recent "interesting" hits:

Rejected: 209.132.98.144 - Web Sense (10-25-2003 @ 13:50:02)
Rejected: 216.35.71.120 - Overpeer ( see comments) (10-25-2003 @ 14:54:40)
Rejected: 216.35.71.105 - Overpeer ( see comments) (10-25-2003 @ 14:54:40)

Rejected: 66.35.229.177 - GainCME (Spyware) (11-06-2003 @ 09:45:31)
Rejected: 66.35.229.177 - GainCME (Spyware) (11-06-2003 @ 09:48:20)

Rejected: 216.35.71.105 - Overpeer ( see comments) (11-13-2003 @ 21:21:13)
Rejected: 216.35.71.120 - Overpeer ( see comments) (11-13-2003 @ 21:21:13)
Rejected: 216.35.71.105 - Overpeer ( see comments) (11-13-2003 @ 21:21:35)
Rejected: 216.35.71.120 - Overpeer ( see comments) (11-13-2003 @ 21:21:35)
Rejected: 216.35.71.105 - Overpeer ( see comments) (11-13-2003 @ 21:21:43)
Rejected: 216.35.71.120 - Overpeer ( see comments) (11-13-2003 @ 21:21:43)

Rejected: 64.49.221.202 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:25)
Rejected: 64.49.221.198 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.198 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.198 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.198 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.213 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.213 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)
Rejected: 64.49.221.213 - Rackspace.com (BigChampagne Host) split (11-19-2003 @ 09:52:26)

Rejected: 209.132.98.144 - Web Sense (11-20-2003 @ 22:02:56)

Rejected: 216.35.71.105 - Overpeer ( see comments) (12-01-2003 @ 12:12:08)
Rejected: 216.35.71.120 - Overpeer ( see comments) (12-01-2003 @ 12:12:08)
Rejected: 216.35.71.105 - Overpeer ( see comments) (12-01-2003 @ 12:12:13)
Rejected: 216.35.71.120 - Overpeer ( see comments) (12-01-2003 @ 12:12:13)

Rejected: 64.49.219.163 - Rackspace.com (BigChampagne Host) split (12-02-2003 @ 00:05:06)
Rejected: 64.49.219.163 - Rackspace.com (BigChampagne Host) split (12-02-2003 @ 00:06:34)

Rejected: 64.32.234.22 - IRMA (Mail) (12-05-2003 @ 15:39:39)

Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 12:36:44)
Rejected: 207.155.252.18 - NetPD (12-11-2003 @ 14:02:12)
Rejected: 207.155.252.72 - NetPD (12-11-2003 @ 14:02:13)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:28:58)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:38:18)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:38:28)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:44:01)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:50:20)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 14:55:41)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:03:49)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:08:43)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:28:07)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:38:33)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:43:27)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:49:57)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:53:37)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 15:59:31)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:05:19)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:06:44)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:14:22)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:16:46)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:25:57)
Rejected: 66.79.165.61 - MediaDefender (12-11-2003 @ 16:33:11)
Rejected: 64.32.234.22 - IRMA (Mail) (12-11-2003 @ 18:26:57)

Rejected: 216.35.71.120 - Overpeer ( see comments) (12-15-2003 @ 21:04:20)
Rejected: 216.35.71.105 - Overpeer ( see comments) (12-15-2003 @ 21:04:20)


Rejected: 149.101.1.32 - US Department of Justices (12-17-2003 @ 13:41:48)
Rejected: 149.101.1.32 - US Department of Justices (12-17-2003 @ 13:42:33)
Rejected: 149.101.1.32 - US Department of Justices (12-17-2003 @ 13:42:40)


Rejected: 205.150.75.137 - CAAST.org (12-23-2003 @ 19:36:07)
Rejected: 205.150.75.137 - CAAST.org (12-23-2003 @ 19:39:30)


Rejected: 216.194.228.23 - IDSA (12-24-2003 @ 10:42:22)

Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:16:31)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:16:56)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:17:10)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:17:20)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:17:28)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:17:42)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:17:47)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:18:04)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:18:11)
Rejected: 64.49.242.119 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:19:14)
Rejected: 64.49.229.188 - Rackspace.com (BigChampagne Host) split (12-25-2003 @ 13:34:55)

Rejected: 66.35.229.241 - GainCME (Spyware) (12-26-2003 @ 07:02:12)
Rejected: 66.35.229.241 - GainCME (Spyware) (12-26-2003 @ 07:03:00)
Rejected: 66.35.229.241 - GainCME (Spyware) (12-26-2003 @ 07:03:00)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:22)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:23)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:23)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:24)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:25)
Rejected: 66.79.168.160 - MediaDefender (12-26-2003 @ 07:03:25)

Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 08:32:34)
Rejected: 192.150.20.32 - Adobe Systems Inc. (12-31-2003 @ 21:07:01)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:08:04)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:09:05)
Rejected: 192.150.20.32 - Adobe Systems Inc. (12-31-2003 @ 21:10:07)
Rejected: 192.150.19.32 - Adobe Systems Inc. (12-31-2003 @ 21:11:08)
Rejected: 192.150.20.32 - Adobe Systems Inc. (12-31-2003 @ 21:12:10)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:13:11)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:14:13)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:15:15)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:16:16)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:17:17)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:18:32)
Rejected: 192.150.19.32 - Adobe Systems Inc. (12-31-2003 @ 21:19:33)
Rejected: 192.150.18.32 - Adobe Systems Inc. (12-31-2003 @ 21:20:35)
Rejected: 192.150.19.32 - Adobe Systems Inc. (12-31-2003 @ 21:21:36)

Rejected: 192.150.14.120 - Adobe Systems Inc. (01-02-2004 @ 08:54:42)
Rejected: 192.150.18.32 - Adobe Systems Inc. (01-02-2004 @ 08:54:44)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 08:55:45)

Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 11:27:42)
Rejected: 192.150.18.32 - Adobe Systems Inc. (01-02-2004 @ 11:28:44)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 11:29:45)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 11:30:47)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:15:52)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:16:54)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:17:55)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 13:18:56)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:19:58)
Rejected: 192.150.20.33 - Adobe Systems Inc. (01-02-2004 @ 13:20:59)
Rejected: 192.150.18.32 - Adobe Systems Inc. (01-02-2004 @ 13:22:01)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 13:23:02)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:25:10)
Rejected: 192.150.20.32 - Adobe Systems Inc. (01-02-2004 @ 13:26:12)
Rejected: 192.150.20.32 - Adobe Systems Inc. (01-02-2004 @ 13:27:13)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:28:15)
Rejected: 192.150.19.32 - Adobe Systems Inc. (01-02-2004 @ 13:29:16)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 13:30:18)
Rejected: 192.150.20.33 - Adobe Systems Inc. (01-02-2004 @ 13:31:19)
Rejected: 192.150.18.33 - Adobe Systems Inc. (01-02-2004 @ 13:32:21)

Rejected: 63.236.94.39 - Take Two Interactive (01-06-2004 @ 13:14:38)