Australia's Leading Computer Emergency Response Team

Bits and ports
Date: 30 December 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8569



Good afternoon all,

I have a couple of things I want to update you on regarding recent our blogs.

  1. Port Scans
  2. Storm URIs

1. Port Scans


We have noticed an increase in port scanning on the following list of ports:
 2967|tcp - Symantec Corporate Antivirus
 5454|tcp - APC (also uses 5455, 5456 and UDP) [1]
 5900|tcp - VNC
 4899|tcp - RAdmin
45454|tcp - Unsure
54545|tcp - Unsure
54554|tcp - Unsure

Regarding ports 45454, 54545 and 54554, I am unable to find anything that uses these ports. It is quite possibly a typographical error on behalf of the person(s) conducting the scans as they have very similar numbers to the APC ports.


2. Storm URIs

I have a few more URLs for you to check with your logs.

  h**p :// newyearwithlove,com/
  h**p :// familypostcards2008,com/
  h**p :// freshcards2008,com/

Oh, and here's a little bit of irony for today. I sent an email requesting the shutdown of the domains and this is the message I get bounced back.

   ----- Transcript of session follows -----
... while talking to relay3.ripn.net.:
>>> DATA
<<< 550-This message contains a virus or other harmful content
<<< 550 (Email.Phishing.RB-2346)
554 5.0.0 Service unavailable

Cheers

Zane


References

   [1] Ports and Services
         http://www.dshield.org/services.html