Actually 31337 is a favorite port for any trojan (Back Orafice etc)
The reason being that 31337 is 'leetspeak' for ELEET (Elite)
Mark Andrich writes:
>
> If I remember correctly, 31337 is the chosen port for sub seven (one of the
> versions). For those who are more familliar with sub seven, might this be
> some kind of scan from the control side of the software randomly scannig for
> infected machines? Just curious..... I know this is a firewalls list and not
> a sub seven list, but I'm hoping it's a valid question......
>
>
> > -----Original Message-----
> > From: Dave Horsfall [SMTP:[EMAIL PROTECTED]]
> > Sent: Thursday, May 31, 2001 9:49 PM
> > To: Firewalls List
> > Subject: Re: Probe from 255.255.255.255?
> >
> > Thanks for the responses.
> >
> > Curious, I went back through my logs (I really must hook up a back-end
> > DB some time to look for trends) and found these:
> >
> > Apr 26 12:48:58 denied tcp 255.255.255.255(31337) -> XXX.75(515), 1
> > packet
> > Apr 26 23:35:41 denied tcp 255.255.255.255(31337) -> XXX.20(515), 1
> > packet
> > Apr 30 07:36:24 denied tcp 255.255.255.255(31337) -> XXX.46(515), 1
> > packet
> > Apr 30 14:46:05 denied tcp 255.255.255.255(31337) -> XXX.182(515), 1
> > packet
> > May 9 02:22:02 denied tcp 255.255.255.255(31337) -> XXX.46(515), 1
> > packet
> > May 12 23:43:25 denied tcp 255.255.255.255(31337) -> XXX.28(515), 1
> > packet
> > May 14 04:10:59 denied tcp 255.255.255.255(31337) -> XXX.200(515), 1
> > packet
> > May 15 01:22:13 denied tcp 255.255.255.255(31337) -> XXX.43(515), 1
> > packet
> > May 16 01:01:33 denied tcp 255.255.255.255(31337) -> XXX.229(515), 1
> > packet
> > May 17 09:18:25 denied tcp 255.255.255.255(31337) -> XXX.58(515), 1
> > packet
> > May 18 00:40:42 denied tcp 255.255.255.255(31337) -> XXX.3(515), 1 packet
> > May 18 13:36:13 denied tcp 255.255.255.255(31337) -> XXX.194(515), 1
> > packet
> > May 20 16:01:24 denied tcp 255.255.255.255(31337) -> XXX.162(515), 1
> > packet
> > May 26 11:43:56 denied tcp 255.255.255.255(31337) -> XXX.36(515), 1
> > packet
> > May 28 17:50:33 denied tcp 255.255.255.255(31337) -> XXX.59(515), 1
> > packet
> > May 30 06:07:00 denied tcp 255.255.255.255(31337) -> XXX.32(515), 1
> > packet
> > May 30 07:01:10 denied tcp 255.255.255.255(31337) -> XXX.48(515), 1
> > packet
> > May 31 10:30:10 denied tcp 255.255.255.255(31337) -> XXX.106(515), 1
> > packet
> >
> > So our script-kiddie has been at this for a while, eh? Fortunately, I've
> > got 515 blocked at the router (default deny, of course) which quietly
> > drops the packets anyway.
> >
> > --
> > Dave Horsfall CL VK2KFU [EMAIL PROTECTED] Ph: +61 2 9906 3377 Fx: * 9906
> > 3468
> > (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065,
> > Australia
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
