[Dshield] Korgo Infections at 50%

Frank Knobbe frank at knobbe.us
Sat Jun 12 16:29:17 GMT 2004


On Sat, 2004-06-12 at 11:05, Blake McNeill wrote:
> One system was totally amazing for open ports (please tell me this is a
> honey pot).
> 29 open TCP ports: 22, 25, 80, 110, 113, 119, 135, 139, 420, 445, 559, 1022,
> 1023, 1025, 1433, 2041, 2745, 3067, 3127, 4444, 5000, 5300, 6129, 8967,
> 9898, 9996, 9999, 28856, 65506
> 1 open UDP ports: 137

If 137 was your only open UDP port, then it appears to be a honey pot.
Windows also opens UDP listeners on 138 and 445 (and I thought 135, but
couldn't verify that on my Win2000 test box).

Alternatively, it could be a firewall like Raptor who appears to have
massive amount of ports open, even when they are not used.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040612/e62e5eec/attachment.bin


More information about the list mailing list