[unisog] Port 33

Cam Beasley, ISO cam at austin.utexas.edu
Tue Jun 3 20:56:20 GMT 2003


i've come across a few IRCbots using 33/tcp for
their serv-u daemon.. the port is likely hack team
specific..  nothing new though..

if you like tcpview, try procexp:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

~cam.

Cam Beasley
Information Security Office
The University of Texas at Austin
      

> -----Original Message-----
> From: Phil.Rodrigues at uconn.edu [mailto:Phil.Rodrigues at uconn.edu] 
> Sent: Tuesday, June 03, 2003 15:18
> To: unisog at sans.org
> Subject: Re: [unisog] Port 33
> 
> 
> I also like TCP-View.  Its a single .exe and runs well on  XP:
> 
> http://www.sysinternals.com/ntw2k/source/tcpview.shtml
> 
> I hadn't seen Vision yet - thanks for the tip!
> 
> Phil
> 
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> 
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu 
> =======================================
> 
> 
> 
> 
> 
> bukys at cs.rochester.edu
> 06/03/2003 03:17 PM
> 
>  
>         To:     sbernard at gmu.edu
>         cc:     bukys at cs.rochester.edu, unisog at sans.org
>         Subject:        Re: [unisog] Port 33
> 
> 
> If it's a Windows box, use the free FoundStone utilities "fport" 
> (command-line) or "vision" (GUI) to find out what process is 
> listening on that port.  On a Unix box, use "lsof" to do the same.
> 
> Liudvikas Bukys
> University of Rochester
> <bukys at cs.rochester.edu>
> 
> in reply to the following:
> >From: sbernard at gmu.edu
> >To: unisog at sans.org
> >Subject: [unisog] Port 33
> >
> >I've got a compromised box that is running a service on TCP 
> port 33.  I
> can't find anything on from Google, SANS, etc. regarding this 
> port, except 
> that it's "supposed to be" the Display Support Protocol.  
> Using telnet to 
> connect to the port provides the following:
> >
> ># telnet a.b.c.d 33
> >Trying a.b.c.d...
> >Connected to a.b.c.d.
> >Escape character is '^]'.
> >  [Pressed <Enter>]
> >220 v:0.2
> >?
> >500 Not Loged in
> >^]
> >telnet> close
> >Connection closed.
> >#
> >
> >Has anyone else seen this?
> >
> >Regards,
> >
> >Steve Bernard
> >Sr. Systems Engineer, NET
> >George Mason University
> >Fairfax, Virginia
> 
> 
> 
> 



More information about the unisog mailing list