TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Juz curious... :). Why would a major ISP even WANT to 'lure' script kiddies
(except maybe to a 'honeypot' or such..)? Seems to me they have enough
problems with 'em as it is...? BTW, I've also noticed open ports on Netbus
12345 & 12346 on major ISP's SMTP servers. I notified their NOC's a month
or so ago, but haven't heard a thing back, and the ports are still active.
Interesting... I know some sysadmins run BackOrifice as a remote admin
tool, but I haven't heard of Netbus for this purpose.
--Bill
----- Original Message -----
From: "Robert Zachary" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 21, 2000 1:44 PM
Subject: RE: Netbus ?
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Keep in mind that they may be also running this as a daemon to lure script
kiddies. I have done this myself. Do notify the victimsystem as a courtesy.
Rob
/------------------------------------------/
Robert Zachary
Analyst
Information Security
Tandy Information Services
817.415.0675
[EMAIL PROTECTED]
> -----Original Message-----
> From: Gary McIntyre [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 21, 2000 2:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Netbus ?
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
>
> It certainly looks that way. I know of no legitimate
> applications which
> hold port 12345 open for sessions, besides NetBus. Have you
> informed the
> various victims of the problem?
>
> Gary McIntyre
> Network Consultant
> LGS Group Inc.
> [EMAIL PROTECTED]
>
> This user's PGP Public Keys can be
> obtained from certserver.pgp.com
>
> ----- Original Message -----
> From: "Data_surge <[EMAIL PROTECTED]>@LGS"
> <IMCEANOTES-Data+5Fsurge+20+3CGn0+40datasurge+2Ecom+3E+40LGS@e
> -commerce.com>
> To: "[EMAIL PROTECTED]"
> <[EMAIL PROTECTED]>
> Sent: Friday, January 21, 2000 2:40 PM
> Subject: Netbus ?
>
>
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message
> to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> > problems!
> >
> --------------------------------------------------------------
> ------------
> --
> >
> > Hey there all,
> > Lately i have been scanning a number of host for record
> purposes, and on a
> > number of large isp and e-commerce sites i have found a
> port open for
> netbus
> > the
> > port is 12345 i did not beleive it at first and got my
> port listing docs
> > out
> > to verify that it was something elese and on both counts it came up
> > unverified.
> > I can say safley say that the largest isp in my country has
> been ifected
> > with
> > netbus. Here is one of the logs.
> > Starting nmap V. 2.3BETA13 by [EMAIL PROTECTED]
> ( www.insecure.org/nmap/ )
> > Interesting ports on the url ? (a ip:0)
> > Port State Protocol Service
> > 21 open tcp ftp
> > 22 open tcp ssh
> > 23 open tcp telnet
> > 25 open tcp smtp
> > 53 open tcp domain
> > 80 open tcp http
> > 110 open tcp pop-3
> > 111 open tcp sunrpc
> > 443 open tcp https
> > 12345 open tcp NetBus
> >
> > TCP Sequence Prediction: Class=random positive increments
> > Difficulty=34403 (Worthy challenge)
> > Remote operating system guess: FreeBSD 2.2.1 - 3.2
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned in 65 seconds
> >
> >
>
>
>
>
