Seeing a lot of scan on port 27374

Discussion in 'other firewalls' started by rowland15, Jan 7, 2004.

Thread Status:
Not open for further replies.
  1. rowland15

    rowland15 Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    2
    I looked this up and it's associated with the SubSeven backdoor. I'm seeing fifteen to twenty a day, from a wide variety of sources. Anybody know what's up? Thanks.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Hi rowland15,

    I'm assuming you are seeing these scans as blocked incoming events in your firewall log (or perhaps from a router, if you have one). Blocked incoming scans are nothing to worry about. We all get them. Just because you are seeing attempts from the Internet on a specific port associated with a trojan, does not mean you are infected with that trojan.

    People who are looking for systems infected with a trojan will scan large numbers of IP addresses in hopes of finding systems that will respond, showing that they are infected. All those attempts they make against all those addresses are the very same blocked scans you are reporting.

    I just checked my Zone Alarm logs and found 27 blocked attempt on TCP port 27374 in the last 3 days and my system is not infected with sub7.

    Can you tell us more about your setup? What firewall are you using? Do you have any other reason for concern besides seeing these alerts?
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I agree with LowWaterMark,

    In the past two days i have received 20 alerts of attempts to connect with backdoor subseven. Being new to firewalls, I am slowly making the transition from:

    NO! I AM BEING ATTACKED!

    to

    NO! WHY ARE THEY BOTHERING ME WITH THESE MEANINGLESS ALERTS?
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Good point HandsOff!

    A lot of personal software firewalls have default settings that alert you to things you really don't need to know. Many are set to pop up very scary alert windows for every single probe or scan that hits your IP address, and unfortunately in today's Internet, that is a REAL LOT.

    The things that are blocked by a firewall are harmless. So, all those alerts are really unnecessary. Now, I'm not saying that firewalls shouldn't log these events, I think they should. But they shouldn't pop up so many alert warnings. (Virtually all firewalls let you turn off alerts, but to my knowledge most are set to alert if you install them with all the default settings.)

    The transition that HandsOff is talking about happens to most people in time. They start off really concerned about every blocked packet, but in time end up ticked off about the firewall wasting their time by being so chatty.
     
Loading...
Thread Status:
Not open for further replies.