TCP port 27374 being scanned frequently.

TBP

Senior member
Feb 20, 2000
919
0
0
This port is used by SubSeven Windows Remote Control Trojan . I check everywhere but didn't find such thing in my computer. Do you guys see the similar thing in your firewall log?

Some samples here:

06/08/2001 16:55:39 Unrecognized access from (ool-18bac4a8.dyn.optonline.net) 24.186.196.168:1084 to TCP port 27374
06/08/2001 17:25:01 Unrecognized access from (c-70-39-res1.mts.net) 216.130.70.39:3260 to TCP port 27374
...
...
...

[Edit]deleted the long list to save some bandwidth :)
 

LANMAN

Platinum Member
Oct 10, 1999
2,898
128
106
Here is a page that might help you out a bit, but I found the following line somewhat interesting to your thread:

" If you find probes direct against ports normally not used, it may be someone trying to connect to a trojan inside your network. "

Here is the link if you want to see the rest of the page:

Odd Ports

--LANMAN
 

TBP

Senior member
Feb 20, 2000
919
0
0
Thanks LANMANfor the article. I was a little bit nervous, and now worse :). I'm wondering if people are getting the similar pattern scanning (which means the scans are random), or it's just me (at least one of my computer was/is infected).
 

Russ

Lifer
Oct 9, 1999
21,093
3
0
TBP,

Are you with @Home? If so, what you're seeing is probably not specifically directed at you. @Home's IP address block is scanned 24 hours a day by hundreds of kiddies.

Russ, NCNE
 

HellDesk

Junior Member
Jun 17, 2001
8
0
0
You could see if there's a program (zombie or trojan) listening at that specific port.
If there is, isolate and get rid of it.

e.g. <netstat -na | find &quot;:27374&quot;> would give you all the services/progs listening on that specific internal port.

Don't let the bots bite..
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
scanning large networks (like the Internet) is common place. script kiddiots will scan large sections of net (ie @home's 24.0.0.0) just to see if ANYONE out there has a trjoan listening on that port. If you have taken care of security well (stateful packet inspecting firewall (preferably hardware based not software) with a software firewall on each host, an anti-virus program on each windows machine, and tightened the permissions on those machines (or atleast turned off file/print sharing for you win9x people)) you shouldnt have to worry TOO much. Good luck, stay clean.
 

Slapstick

Golden Member
Oct 11, 1999
1,082
0
0
Just checked my router logs, over a 100 scans so far this weekend looking for port 27374 to be open. Nothing new I get about that many every weekend from people scan blocks of @home addresses.
 

67gt500

Banned
Jun 17, 2001
412
0
0
tell you an interesting story while we're discussing odd ports...

this one isn't very odd, but on an nt server of mine a netstat -an | find &quot;:6667&quot; or 6668 brings up a listening ...

and I cna't figure out what is listening. when i try to connect with an mirc client within the network I can't connect to anything.

Is there a program which will tell you what ports are listening on your machine and WHICH services are listening on that port?
 

TBP

Senior member
Feb 20, 2000
919
0
0
Yes, I'm using @HOME.

I checked all my machines. None of them has service listening to that port, so I guess I'm OK now. Thanks
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
67GT500:
6667..may be an IRC bot. See Gibson Research and click on the link to the story about how his site was DOSed.

From what I remember, you should be concerned.

--Woodie
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
In the UNIX world we have lsof. There MAY be a port of this for win boxes. Check out cygwin (search for it on redhat.com). That may include the file. There has to be a program out there that does the same thing for windows machines though..
 

bomb99

Golden Member
Oct 12, 1999
1,565
0
0
How could I find out if someone is scanning my ports or not? I heard somewhere that @home provides a firewall for some of their service areas. Isn't it ture that when you have a private network, they can't get to the clients, because only the server is visible to the outside (Internet)? I also heard that MS ICS provides firewall functions. How about NAT for WIN2K?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< How could I find out if someone is scanning my ports or not? I heard somewhere that @home provides a firewall for some of their service areas. Isn't it ture that when you have a private network, they can't get to the clients, because only the server is visible to the outside (Internet)? I also heard that MS ICS provides firewall functions. How about NAT for WIN2K? >>



Don't bother with any solution they give you. First get zone alarm. That will help but it should not be your permenant solution. Do not fall for BlackIce, it sucks. (This is subject to opinion. Have the security people I have talked to like it and the other half hated it.) Zone alarm + blackice would not be a bad temporary solution.

When you can (read as: ASAP), get a real firewall. Byt this I mean a separate computer (or hardware solution from a company that knows what they are doing) running the firewall as it's ONLY service (maybe sshd). This firewall should have stateful packet inspection capabilities. A computer with linux, OpenBSD (the best in my opionion, but more on that later), FreeBSD, or NetBSD running it's firewall of choice iptables/netfilter, ipf, ipfw, unknown respecfully will provide you with decent security if setup correctly. These machines can also provide NAT.

OpenBSD is in a state of transition right now. ipf has been removed due to licensing issues so -current is left without a firewall, although 2.9 -stable and -release are fine.
 

Woodie

Platinum Member
Mar 27, 2001
2,747
0
0
Bomb99
What solution you need is entirely dependant on your network architecture. The network is your first, and strongest point of defense.

To detect if people are port-scanning you, you need some sort of Intrusion Detection System (IDS). There are a couple of free ones, mostly for *nix based systems. That is NOT the place to start, it's about the last thing to do, to complete a secured architecture.

First thing is, define the entry points to your network. Then put a firewall at each point, or consolidate all points to a single one, and firewall that. Which brand/version of fw depends on budget, exposure levels, what the value is of what you're trying to protect, and a host of other things.

n0cmonkey is right on, about NetworkIce. Half of us like it, half do not. I'll let you know where I stand, after spidey07 weighs in. ;) Also, @home is frequently scanned, because it's almost wide open, and the ISP doesn't really care about having clients hacked or trojaned. The client firewall is really non-existent.

--Woodie
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< Bomb99
What solution you need is entirely dependant on your network architecture. The network is your first, and strongest point of defense.

To detect if people are port-scanning you, you need some sort of Intrusion Detection System (IDS). There are a couple of free ones, mostly for *nix based systems. That is NOT the place to start, it's about the last thing to do, to complete a secured architecture.

First thing is, define the entry points to your network. Then put a firewall at each point, or consolidate all points to a single one, and firewall that. Which brand/version of fw depends on budget, exposure levels, what the value is of what you're trying to protect, and a host of other things.
>>



I have heard of decently secure networks that did not use firewalls, only IDS systems. I know I couldn't do this, but I guess some people can. Detecting scans is not a big deal, detecting breaches is however.



 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Port 27374, way out of the range of commonly used ports, (Telnet, 23, http, 80) I would suspect a trojan horse. I think anything over 200 is free reign for private use.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< Port 27374, way out of the range of commonly used ports, (Telnet, 23, http, 80) I would suspect a trojan horse. I think anything over 200 is free reign for private use. >>



Nope, read the thread. And anything over 1024 has a chance of not being taken. Want over 200? I can paste /etc/services for you :)