Port 33

Stephen W. Thompson thompson at pobox.upenn.edu
Tue Jun 3 19:31:44 GMT 2003


Steve Bernard wrote:

> I've got a compromised box that is running a service on TCP port 33.
> I can't find anything on from Google, SANS, etc. regarding this port,
> except that it's "supposed to be" the Display Support Protocol.  Using
> telnet to connect to the port provides the following:
> 
> # telnet a.b.c.d 33
> Trying a.b.c.d...
> Connected to a.b.c.d.
> Escape character is '^]'.
>   [Pressed <Enter>]
> 220 v:0.2
> ?
> 500 Not Loged in
> ^]
> telnet> close
> Connection closed.
> #
> 
> Has anyone else seen this?

More and more I find it makes more sense to find out what *is* running
rather than what *might be* running.  On WinXP/2K, this means running a
tool such as fport.exe (from foundstone.com, freely-usable though
copyrighted), or "netstat -an -o" (I believe) on WinXP, or lsof on
Unix-like systems.  All such tools will show, for each open port, what
file/executable has the port open.

En paz,
Steve, security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.



More information about the unisog mailing list