[unisog] Port 33

Brian Reilly reillyb at georgetown.edu
Tue Jun 3 19:48:50 GMT 2003


Steve,

The responses look vaguely FTP-like.  Perhaps the compromised host is
running a rogue FTP server on a non-standard port.  I don't think we've
seen it bound to 33/TCP before, but we've seen plenty of them on other
ports on compromised systems.  Have you tried using lsof or fport to
uncover anything about suspect process?

--Brian

______________________________________________
Brian Reilly, CISSP
University Network Security Officer
Georgetown University, UIS
<reillyb at georgetown.edu>
+1 202.687.2775


On Tue, 3 Jun 2003 sbernard at gmu.edu wrote:

> I've got a compromised box that is running a service on TCP port 33.  
> I can't find anything on from Google, SANS, etc. regarding this port,
> except that it's "supposed to be" the Display Support Protocol.  
> Using telnet to connect to the port provides the following:
> 
> # telnet a.b.c.d 33
> Trying a.b.c.d...
> Connected to a.b.c.d.
> Escape character is '^]'.
>   [Pressed <Enter>]
> 220 v:0.2
> ?
> 500 Not Loged in
> ^]
> telnet> close
> Connection closed.
> #
> 
> Has anyone else seen this?
> 
> Regards,
> 
> Steve Bernard
> Sr. Systems Engineer, NET
> George Mason University
> Fairfax, Virginia
> 
> 
> 
> 




More information about the unisog mailing list