UDP Trojan Horse probe
advICE :Intrusions : 2003501

Summary

A hacker may be scanning your system to see if a particular Trojan Horse program is installed on your system. This scan is likely nothing to be worried about.

Details

This is one the most common scans that home users will see directed against their systems. The traditional hacker technique is to post Trojan Horse programs on the Internet in newsgroups, on websites, or within e-mail spam. The hackers then run 'bots (robots) that scan huge portions of the Internet in order to see who has been infected with their programs.

Since any individual scanner is probing millions of potential victims, the likelihood is that the average user will get scanned every so often. However, most hackers want to compromise machines with fast, 24-hour connections like cable modems and DSL. Therefore, they target well-known address ranges, like 24.x.x.x, that support these high speed connections.

The most common UDP-based trojan horses detected by the intrusion-detection engine are listed below.
,

UDP port	Trojan horse name
2140	DeepThroat
3149	Master's Paradise
10067	Portal of Doom
31337	Back Orifice (default port)
31789	Hack'a'Tack
54321	Back Orifice 2000 (default port)

False Positives

This will sometimes trigger when a hacker is scanning random ports on a machine. In this case, it is still probably a hostile act, but not necessarily against the specific Trojan Horse.

parametric information port The UDP port being probed trojan The name of the Trojan Horse program reason The reason for the port probe. Firewalled the incoming UDP frame was stopped by the firewall. ICMPsent an ICMP unreachable port frame was sent by the destination

 
Version appeared: 2.5