>X-PMC-CI-e-mail-id: 11389
>
>I noticed a port probe to 31789 to a domain
>I administer.
>
>161.139.104.101(31790) ->aaa.bbb.ccc.ddd(31789), : Sep 30 16:47:21
>
>This was done for all the hosts in the said domain.
>
>The probe came from 31790 (= 31789 + 1).
>
>Does anyone have an idea what this probe is?
>
>
>--
> Ishikawa, Chiaki [EMAIL PROTECTED] or
Hi,
The trojan Hack�A�Tack uses ports 31785, 31788, 31789, 31790, 31791 and 31792 as far as I know. 31789 and 31791 are usually used for UDP and the other for TCP. The trojan works on Windows 95 and 98. There exists at least four version coded by the original authors and two beafed up and bug fixed versions written by others (I think). Hack�A�Tack is found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It is a normal Remote Access trojan but can also bu used as an IP-scanner. Look out for files like Hack�a�Tack.exe, Expl32.exe and Win32ip.cfg. Further information about the trojan could be found on http://split.netset.com/hackfix/, one of the best trojan information sites on the net.
Keep it up!
Joakim
- [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
- probe to 31789 Chiaki Ishikawa
- Joakim von Braun
