Port 31337 (tcp/udp) Attack Activity - SANS Internet Storm Center

Handler on Duty: Rob VandenBrink

Threat Level: green

[get complete service list]

Port Information
Protocol	Service	Name
tcp	ADMworm	[trojan] ADM worm
tcp	DeepBO	[trojan] Deep BO
tcp	Elite	Sometimes interesting stuff can be found here here
tcp	Freak2k	[trojan] Freak2k
tcp	Freak88	[trojan] Freak88
tcp	Gummo	[trojan] Gummo
tcp	icmp_pipe.c	[trojan] icmp_pipe.c
tcp	LinuxRootkitIV	[trojan] Linux Rootkit IV
udp	BackOrifice	cDc Back Orifice remote admin tool
tcp	eldim	eldim is a secure file upload proxy
tcp	cron/crontab	[trojan] cron / crontab
tcp	BOspy	[trojan] BO spy
tcp	BOFacil	[trojan] BO Facil
tcp	BackFire	[trojan] Back Fire
tcp	BackOrifice1.20patches	[trojan] Back Orifice 1.20 patches
tcp	BackOrifice(Lm)	[trojan] Back Orifice (Lm)
tcp	BackOrificerussian	[trojan] Back Orifice russian
tcp	BaronNight	[trojan] Baron Night
tcp	Beeone	[trojan] Beeone
tcp	bindshell	[trojan] bindshell
tcp	BO2	[trojan] BO2
tcp	BOclient	[trojan] BO client
udp	eldim	eldim is a secure file upload proxy

User Comments
Submitted By	Date
Comment
Tony	2006-12-22 13:58:41
This is the default port for psyBNC; an IRC relay daemon/server (or BouNCer). It is common to find several instances of the daemon running with ~50 max clients on the same machine. Another port can be used to link psyBNC daemons together, optionaly using SSL encryption. Linking is optional. I cant remember which port it uses by default, something like 7000 I think. See: http://www.psybnc.at/ for more info.
Tim Chase	2004-04-27 23:45:03
According to an update by US-CERT (April 22, 2004), the recent upsurge in activity may be due to a recently released exploit (involving our old friend, the buffer overflow) for Microsoft Private Communications Technology. PCT runs on port 443 using tcp, and the exploit connects a command shell on port 31337, using tcp. See: http://www.us-cert.gov/current/current_activity.html (April 23, 2004)

CVE Links
CVE #	Description