[unisog] Port 33

DelVecchio, Anthony R. ARDELVECCHIO at stthomas.edu
Mon Jun 16 14:15:49 GMT 2003


We had one too. It was an NT 4.0 SP 6. There was a rogue service fxsvc.exe
running and eating up the cpu time. Google on fxsvs shows a few references
to a backdoor, but so far only showing up in Europe.  Some smaller
Anti-virus companies are listing it in their definitions as of the 12th, but
I can't find any more information about the compromise.

Tony DelVecchio
Network Security Manager 
University of St Thomas
St Paul, Mn

-----Original Message-----
From: Jeff Bollinger [mailto:jeff01 at email.unc.edu]
Sent: Wednesday, June 04, 2003 2:20 PM
To: unisog at sans.org
Subject: Re: [unisog] Port 33


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good recommendation on 'amap'.  You may also want to try this Nmap flag
as well, which may help determine the protocol being spoken by/to that
port.  It's called the "Protocol Scan":

(with root privileges)

# nmap -sO <host IP>

Thanks,
Jeff

- --
Jeff Bollinger, CISSP
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

Michael Sconzo wrote:
| If you have access to a linux box you might try the tool amap
| (application map) it's used via a network connection and it basically
| determines what applications are running on a given port...ie FTP on
| port 80 etc...  It works by determining the protocol of the service
| running on the port.
|
| -Mike
|

|>>>
|>>>I've got a compromised box that is running a service on TCP
|>>
|>>port 33.  I
|>>can't find anything on from Google, SANS, etc. regarding this
|>>port, except
|>>that it's "supposed to be" the Display Support Protocol.
|>>Using telnet to
|>>connect to the port provides the following:
|>>
|>>># telnet a.b.c.d 33
|>>>Trying a.b.c.d...
|>>>Connected to a.b.c.d.
|>>>Escape character is '^]'.
|>>> [Pressed <Enter>]
|>>>220 v:0.2
|>>>?
|>>>500 Not Loged in
|>>>^]
|>>>telnet> close
|>>>Connection closed.
|>>>#
|>>>
|>>>Has anyone else seen this?
|>>>
|>>>Regards,
|>>>
|>>>Steve Bernard
|>>>Sr. Systems Engineer, NET
|>>>George Mason University
|>>>Fairfax, Virginia

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+3kZqvoVlxVBmgsURAs6xAJ9giTVQ6KNzK3M2UfCQFxzqPF77+QCfSYKL
XFJd07FAYyqWK1aq2ncE/HQ=
=4S5v
-----END PGP SIGNATURE-----



More information about the unisog mailing list