UPDATE: more SSH hacking
Cowles, Steve
steve at stevecowles.com
Tue Aug 10 19:41:58 UTC 2004
John Thompson wrote:
> Scot L. Harris wrote:
>
>> A quick google on port 1025 had it listed in one place as network
>> blackjack. Not sure how accurate that is. But most likely this just
>> someone scanning various ports for something open or for a specific
>> exploit on a service that uses port 1025.
>
> IIRC, Windows uses the ports immediately above 1024 for a variety of
> readily-exploitable services. Configure the firewall to reject new
> connections on those ports. My experience is that ports 1025-1030 are
> the most common targets.
>
Thought I would add my two bits to this thread...
My firewall rejects/logs 20-30 of these TCP/1025 packets a day. Ethereal
captures don't reveal anything that points to any particular service exploit
mentioned at
http://www.incidents.org/port_details.php?port=1025
Also, my firewall rejects/logs hundreds of UDP/1026-1027 packets a day.
Ethereal decodes these packets as MS Messenger Service. Sometimes the
content of these messages (using ethereal captures to view) are actually
quite humorous, but most of the time the message content refers to the MS
Security Bulletin MS03-043 (which actaully exists), then informs you that
your system is infected and refers you to a NON-microsoft website to install
a patch. Ya right!
Geeez! I wonder how many folks have actually selected the website mentioned
in the message and installed this so called patch. No wonder the internet is
so infected with virus's nowadays.
Steve Cowles
More information about the fedora-list
mailing list