Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 5 port 31337

Published: 2009-10-05
Last Updated: 2011-01-30 04:33:34 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Backdoors and malware and trojans oh my!

Post 31337 (tcp or udp) is not an officially assigned port according to IANA. Most /etc/services files do not reference it. So why pick what seems to be an obscure port that does not have a protocol associated with it to discuss as part of Cyber Security Awareness Month? If you use a popular search engine 31337 tends to return references to 31337 being an alternate spelling for Eleet (or Elite), and possible infections of a backdoor trojan which listened by default on this port. Back Orifice is not exactly new, originally released in 1998, it's successors such as BO2K have been updated somewhat. Most anti-virus engines will classify Back Orifice as malware and attempt removal. Some IDS engines will still alarm on traffic going to or from once popular typical trojan ports.

One part of the discussion of port 31337 could be the futility of alarming on any particular tcp or udp port at all. In 1998 BO had the ability to change its default listening port to anything at all. Any service in fact can be made to listen on pretty much any port. Without looking at the payload of the traffic you have no idea what is happening, whether it is a firewall or an IDS triggering on a 'suspicious' packet.

Trojans have not gone away to be a footnote in the history of InfoSec, they have evolved.

Please contact us if you have any comments or would like to add to this diary entry.

Update1: Dan wrote in to remind me that port 31337 is also the default listen port for Ncat, the netcat replacement from the Nmap team. Thanks Dan!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

1 comment(s)

Time to change your hotmail/gmail/yahoo password

Published: 2009-10-05
Last Updated: 2011-01-25 00:08:42 UTC
by Adrien de Beaupre (Version: 1)
14 comment(s)

Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online. Mainstream media such as the BBC are also carrying the story. Some information is posted here.

UPDATE: Gmail and Yahoo are also affected by the compromise. Change all passwords on any of these popular webmail sites.

Some does and don'ts:

  • Do change your passwords on a regular basis (every six months or so)
  • Do use long complex pass-phrases rather than passwords where you can
  • Do change all of your passwords if you notice something suspicious
  • Do take identity theft seriously
  • Do use up-to-date anti-virus and a firewall
  • Do NOT click on links in emails, ever
  • Do NOT use the same password at multiple sites

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

14 comment(s)
Diary Archives