Solved

port scan

Posted on 2003-11-09
10
3,133 Views
Last Modified: 2013-12-04
hello
lately i have been receiving port scans and connection attempts to my computers port 27374
i mean alot. i use zonealarm pro so theyre all blocked but i have been receiving tons of them sometimes 1 every minute or more for like 10-45 mins straight and they are always from different ip addresses i dont think even one of the numerous times has been the same(i try to keep track of all the ip addresses that scan me, i have quite the list) anyways what is the deal with this, i know that this is the default port for all of the subseven trojan variants but why all of a sudden would i be getting all of these scans for this port. usually its port 80 for people looking for open web servers. the zonealarm security alert pop ups are getting quite annoying, i know i can shut them off but i like to know whats going on. is there some big contest going on on who can scan port 27374 the most or what? is anyone been noticing this at all? i went looking around on my computer for trojans although im careful about what i download and everything gets scanned with norton first before getting opened and found nothing in the registry or various boot files(win.ini etc.) and the start up folder. is there any reason why someone would believe that im infected and would try to scan me for it like something i did without knowing it. I asked this question somewhere else and got the port scans are not uncommon and if zonealarm is blocking it all then you shouldnt be concerned answer but ive been online for quite sometime and never had a wave of port scans to the same port by so many different people before. im interested in computer security so this makes me scratch my head any insights on this would be appreciated

best regards,
neversleeps
0
Comment
Question by:neversleeps
10 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 38 total points
ID: 9710937
Port 27374 - SubSeven  
   
27374 is one of the default ports of the BackDoor-G2.svr.gen trojan, more commonly known as SubSeven. It is the current (as of May 2001) trojan of choice for most DDoS attacks and clone attacks on specific services, such as IRC. Scans of this port are often accompanied by scans of port 1243, another default SubSeven port of older versions.

For a good summary of SubSeven, see Symantec's SubSeven Page.
http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html

You can block this port using IPSEC policy
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp

 
0
 
LVL 32

Assisted Solution

by:Luc Franken
Luc Franken earned 37 total points
ID: 9713691
A Quick & Easy Check for IRC Zombie/Bots

All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
 
TCP   192.168.1.101:1026   70.13.215.89:6667  ESTABLISHED
 . . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:


netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
 
TCP     0.0.0.0:113     0.0.0.0:0     LISTENING
 . . . then it's probably time to pull the plug on your cable-modem!  

taken from http://grc.com/dos/grcdos.htm if you get one of these messages, you have a bot running (they can use any port, that's what people are looking for. Use an up-to-date virusscanner and spy-ware remover.

LucF

0
 

Expert Comment

by:winxpcrazy
ID: 9716979
thank you for ur post LucF i learn something new everyday however i did both and both came up negative(horay) if u would plz go into a little more detail on these "zombie bots" ive never heard of them- such as if they are connected to a chat server how does that pose a problem i mean if its connected its not holding the port open is it?, how would someone get one of these zombie bots on there puter to begin with- so i know not what to do in the future:), because i do have the 3 main messengers on my machine, i do do regular scans with norton av, spybot s+d, and adaware but its all mostly tracking cookies they ever find and norton has never found a virus on here well except when i tested it with the eicar test string. just while typing this i had 4 alerts all for port 27374 this is gettin a little rediculous. its weird cuz the port 80 scans dont even happen very much anymore like they used to its all 27374 now. this puzzles me also another question in netstat i have 9 times of local address of 0.0.0.0 listening to various different ports all of the foreign addresses are 0.0.0.0 as well can someone plz explain this to me i think i read somewhere once about my computer listening to other parts of my computer- does this make sense i dont wanna sound dumb but the only way for me to learn is to ask someone that knows. just for giggles here r the 9 ports 135, 445, 1025, 1026, 1027, 1033, 1512, and 5101. wow another question i have now after looking at netstat some more all of the ones i just listed are using the TCP protcol however i have 7 more local 0.0.0.0 doing something with different ports but all of these are using the UDP protocol and it doesnt give a foreign address or the state of it -listening or established, what is the difference between the TCP and UDP protocols there is also 3 more with the local address of 127.0.0.1 doing something with ports, now i know the address of 127.0.0.1 is the local address of my computer but what are they doing
wow ive written alot here alot more than i was planning on. if someone wants to sit down and type all this stuff out to me that would be great. i really like this stuff and i can never learn too much. if someone wants to take the time to type it all i will up the points for this question. also after all of  this plz dont forget the origina question of the port 27374 scans as im still very curious on it and would like to know what i did or how to make it stop if there is such a way(i doubt it but u guys r the experts not me) ;)
ur help is appreciated in advance
best regards,
neversleeps
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:winxpcrazy
ID: 9717049
o btw winxp crazy was my other name i forgot the password and recently found it. i didnt realize i posted it under that name and signed it with other name before i did it cuz im sure u guys would have been wondering about it, damn scans 3 of um while i typed this little tiny bit
well ok i better go before i type another book  and i need to go close my old account on here
have a pleasant day
laters
winxpcrazy
neversleeps
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9717069
dup account?? sorry, but that's not allowed at this site.

But if you want to know more about those zombies, read  http://grc.com/dos/grcdos.htm (the link I posted before) Gibson has reseached those bots and found out a lot about them.

LucF
0
 

Author Comment

by:neversleeps
ID: 9727918
im sorry about the 2 accounts, i tried to close my old account(winxpcrazy) but i couldnt find out how in the help section so if u could close that one for me i would appreciate it.
thanks
neversleeps
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now