TCP trojan horse probe
advICE :Intrusions : 2003101

Summary

A hacker may be scanning your system to see if a particular Trojan Horse program is installed on your system. This scan is likely nothing to be worried about.

Details

This is one the most common scans that home users will see directed against their systems. The traditional hacker technique is to post Trojan Horse programs on the Internet in newsgroups, on websites, or within e-mail spam. The hackers then run 'bots (robots) that scan huge portions of the Internet in order to see who has been infected with their programs.

Since any individual scanner is probing millions of potential victims, the likelihood is that the average user will get scanned every so often. However, most hackers want to compromise machines with fast, 24-hour connections like cable modems and DSL. Therefore, they target well-known address ranges, like 24.x.x.x, that support these high speed connections.

The most common TCP-based trojan horses detected by the intrusion-detection engine are listed below.
, ,

TCP port	Trojan horse name
555	Phase Zero
1243	Sub 7
6969	GateCrasher
12345	Netbus (default port)
21544	GirlFriend
23456	EvilFtp
30100	NetSphere
54320	Back Orifice 2000 (default port)

False Positives

This will sometimes trigger when a hacker is scanning random ports on a machine. In this case, it is still probably a hostile act, but not necessarily against the specific Trojan Horse.

parametric information port The TCP port being probed trojan The name of the Trojan Horse program

 
Version appeared: 1.8.5.5