[Dshield] Probes to port 901

Kenneth Coney superc at visuallink.com
Sun Sep 28 17:47:22 GMT 2003

It's not uncommon.  Yesterday alone I permanently rule blocked 9 IPs that 
tried to connect or probed to 901.  Also 6 trying 17300 over and over.  My 
rule list is getting long.  Is there a legitimate use for those ports?

Subject: Re: [Dshield] Probes to port 901
From: Blake McNeill <mcneillb at linklogger.com>
Date: Sat, 27 Sep 2003 14:26:28 -0600
To: General DShield Discussion List <list at dshield.org>

We captured the following scan to TCP port 901 and given no data was sent,
its either just a port probe or its a connection attempt to a trojan which
sends out a response on connection (likely).

TCP Port 901 PortPeeker capture
TCP Connection Request
--- 9/27/2003 02:38:19.409 : 4024 TCP Connected ID = 1
--- 9/27/2003 02:38:19.429
Status Code: 0 OK

TCP Error
--- 9/27/2003 02:38:21.832
Error Code: 10054 Winsock error in recv() : 4024 TCP Disconnected ID = 1
--- 9/27/2003 02:38:21.832
Status Code: 10053 [10053] Software caused connection abort

If someone could send me what the connection response would be for NetDevil
(or SubSeven or any other trojan that would be very helpful) then we can
configure PortPeeker to send the correct response on connection and then see
if we can get the connecting system to confirm its intent.


More information about the list mailing list