[unisog] Port 33
DelVecchio, Anthony R.
ARDELVECCHIO at stthomas.edu
Mon Jun 16 14:15:49 GMT 2003
We had one too. It was an NT 4.0 SP 6. There was a rogue service fxsvc.exe
running and eating up the cpu time. Google on fxsvs shows a few references
to a backdoor, but so far only showing up in Europe. Some smaller
Anti-virus companies are listing it in their definitions as of the 12th, but
I can't find any more information about the compromise.
Network Security Manager
University of St Thomas
St Paul, Mn
From: Jeff Bollinger [mailto:jeff01 at email.unc.edu]
Sent: Wednesday, June 04, 2003 2:20 PM
To: unisog at sans.org
Subject: Re: [unisog] Port 33
-----BEGIN PGP SIGNED MESSAGE-----
Good recommendation on 'amap'. You may also want to try this Nmap flag
as well, which may help determine the protocol being spoken by/to that
port. It's called the "Protocol Scan":
(with root privileges)
# nmap -sO <host IP>
Jeff Bollinger, CISSP
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu
Michael Sconzo wrote:
| If you have access to a linux box you might try the tool amap
| (application map) it's used via a network connection and it basically
| determines what applications are running on a given port...ie FTP on
| port 80 etc... It works by determining the protocol of the service
| running on the port.
|>>>I've got a compromised box that is running a service on TCP
|>>port 33. I
|>>can't find anything on from Google, SANS, etc. regarding this
|>>that it's "supposed to be" the Display Support Protocol.
|>>Using telnet to
|>>connect to the port provides the following:
|>>># telnet a.b.c.d 33
|>>>Connected to a.b.c.d.
|>>>Escape character is '^]'.
|>>> [Pressed <Enter>]
|>>>500 Not Loged in
|>>>Has anyone else seen this?
|>>>Sr. Systems Engineer, NET
|>>>George Mason University
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the unisog