User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Bla Trojan Horse blocked Page [1]  
aaronburro
Sup, B
53065 Posts
user info
edit post

I got this block notice twice today on the campus network and I'm wonderin if anyone else has gotten it. I got it first in talley and then outside of DH Hill. Both times I got it immediately upon logging onto nomads. Here's the info:

Quote :
"Message: Default Block Bla Trojan horse
Date: 8/18/2005
Time: 02:03 PM
Direction: Inbound
Local Address: 127.0.0.1
Local Port: 1042
Remote Address: 152.7.232.44
Remote Port: 1042
Protocol: UDP"


I'm not worried about it myself, because I know its getting blocked, but I'm wondering if ITD or whoever knows about this or if I should let them know or whatnot. Also, I guess it serves as a "HEY, BLOCK THAT SHIT!" message, too

8/18/2005 10:16:51 PM

scud
All American
10804 Posts
user info
edit post

not a real trojan

BLA is real old and basically eradicated. It just happens that Windows uses a shitton of ports just above 1024 that *should* be used for registered RFC services. Basically false-positive son.

8/18/2005 10:23:24 PM

aaronburro
Sup, B
53065 Posts
user info
edit post

so wtf is M$ doing using a known trojan port then? I mean, why don't you just let the hackers code windows themselves and save them the fucking trouble?

8/18/2005 10:29:52 PM

Pi Master
All American
18151 Posts
user info
edit post

Quote :
"so wtf is M$ doing using a known trojan port then?"


I don't remember seeing the RFC for a trojan port.

8/18/2005 10:40:21 PM

scud
All American
10804 Posts
user info
edit post

well it could be MyDoom but I doubt it...

Since you said that it happened immediately upon login unto NOMAD and the fact that ip is a NOMAD server lend heavily to the fact that it's part of the authentication process.
ece% nslookup 152.7.232.44
Server: ns5.ncsu.edu
Address: 152.1.1.248

Name: nom3775it.nomadic.ncsu.edu
Address: 152.7.232.44


Windows uses a lot of ports around 1024~1048 or so as dynamic (non-IANA registered) ports for internal windows services including a lot of SMB/NetBIOS/Browser type communications. Winlogon.exe listens on 1043/.


It's not like Windows CHOSE to use a trojan port....I mean which came first bright fella? Windows or the trojan. Basically the trojan writers chose a port that is in a range commonly used in an attempt to hide it, if they had picked 31337 or 65535, some halfwitted admin may notice it much quicker than if it uses a port that is within a heavily used range.

8/18/2005 10:42:41 PM

split
All American
834 Posts
user info
edit post

there are plenty of trojans that listen on common ports like 80, 8080, 21, etc. That doesn't mean that legitimate services that have always used those ports should move to another port.

8/18/2005 10:47:38 PM

aaronburro
Sup, B
53065 Posts
user info
edit post

Quote :
"there are plenty of trojans that listen on common ports like 80, 8080, 21, etc. That doesn't mean that legitimate services that have always used those ports should move to another port."

is 1042 a common port like port 80 itself? Seems to me that if you've got a not so widely distributed app that relies on a port and someone uses that port for a trojan you should change the port you use...

what university app was likely trying to use that port, then? why would NAV report it as a trojan if it were simply a legit app trying to use that port? does NAV just watch that port like a hawk by default, or what?

8/19/2005 8:07:21 AM

Incognegro
Suspended
4172 Posts
user info
edit post

31337 is the best Trojan port evar

8/19/2005 8:19:33 AM

split
All American
834 Posts
user info
edit post

Quote :
"is 1042 a common port like port 80 itself? Seems to me that if you've got a not so widely distributed app that relies on a port and someone uses that port for a trojan you should change the port you use...

what university app was likely trying to use that port, then? why would NAV report it as a trojan if it were simply a legit app trying to use that port? does NAV just watch that port like a hawk by default, or what?"


port-based signatures (like this BLA trojan one) just suck. It is a fact of life. NAV sees a probe on that port, it looks through its list of known trojan ports, matches it, and fires an alert.

If a company goes through the motions to officially register their port with IANA, then some jackass decides to use it for a trojan that has infected 20 machines on the Internet, why the hell should the company abandon that port, change their code/firmware/etc, push out patches, notify customers, register another port with IANA, etc.? I don't think so.

Nomad is likely utilizing Fortress products that are using 1042/udp for the authentication/access control to sign on.

It is normal, ignore it.

8/19/2005 12:53:37 PM

 Message Boards » Tech Talk » Bla Trojan Horse blocked Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.