[unisog] Port 33

Tom Perrine tep at sdsc.edu
Tue Jun 3 19:53:14 GMT 2003

>>>>> On Tue, 03 Jun 2003 13:03:14 -0400, sbernard at gmu.edu said:

    s> I've got a compromised box that is running a service on TCP port 33.  I can't find anything on from Google, SANS, etc. regarding this port, except that it's "supposed to be" the Display Support Protocol.  Using telnet to connect to the port provides the following:
    s> # telnet a.b.c.d 33
    s> Trying a.b.c.d...
    s> Connected to a.b.c.d.
    s> Escape character is '^]'.
    s>   [Pressed <Enter>]
    s> 220 v:0.2
    s> ?
    s> 500 Not Loged in
    s> ^]
    telnet> close
    s> Connection closed.
    s> #

    s> Has anyone else seen this?

    s> Regards,

    s> Steve Bernard
    s> Sr. Systems Engineer, NET
    s> George Mason University
    s> Fairfax, Virginia

Looks like a hacked FTP server.  Message code 220 is the regular FTP
greeting message code, 500 is one of the not logged in codes.

I'd guess a warez server or some off-brand cracker FTP server, or a
hacked regular FTP daemon.


Tom E. Perrine <tep at SDSC.EDU> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | 

More information about the unisog mailing list