[unisog] Port 33
reillyb at georgetown.edu
Tue Jun 3 19:48:50 GMT 2003
The responses look vaguely FTP-like. Perhaps the compromised host is
running a rogue FTP server on a non-standard port. I don't think we've
seen it bound to 33/TCP before, but we've seen plenty of them on other
ports on compromised systems. Have you tried using lsof or fport to
uncover anything about suspect process?
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
On Tue, 3 Jun 2003 sbernard at gmu.edu wrote:
> I've got a compromised box that is running a service on TCP port 33.
> I can't find anything on from Google, SANS, etc. regarding this port,
> except that it's "supposed to be" the Display Support Protocol.
> Using telnet to connect to the port provides the following:
> # telnet a.b.c.d 33
> Trying a.b.c.d...
> Connected to a.b.c.d.
> Escape character is '^]'.
> [Pressed <Enter>]
> 220 v:0.2
> 500 Not Loged in
> telnet> close
> Connection closed.
> Has anyone else seen this?
> Steve Bernard
> Sr. Systems Engineer, NET
> George Mason University
> Fairfax, Virginia
More information about the unisog