I got this block notice twice today on the campus network and I'm wonderin if anyone else has gotten it. I got it first in talley and then outside of DH Hill. Both times I got it immediately upon logging onto nomads. Here's the info:

Quote :

"Message: Default Block Bla Trojan horse Date: 8/18/2005 Time: 02:03 PM Direction: Inbound Local Address: 127.0.0.1 Local Port: 1042 Remote Address: 152.7.232.44 Remote Port: 1042 Protocol: UDP"

I'm not worried about it myself, because I know its getting blocked, but I'm wondering if ITD or whoever knows about this or if I should let them know or whatnot. Also, I guess it serves as a "HEY, BLOCK THAT SHIT!" message, too

8/18/2005 10:16:51 PM

not a real trojan

BLA is real old and basically eradicated. It just happens that Windows uses a shitton of ports just above 1024 that *should* be used for registered RFC services. Basically false-positive son.

8/18/2005 10:23:24 PM

so wtf is M$ doing using a known trojan port then? I mean, why don't you just let the hackers code windows themselves and save them the fucking trouble?

8/18/2005 10:29:52 PM

Quote :

"so wtf is M$ doing using a known trojan port then?"

I don't remember seeing the RFC for a trojan port.

8/18/2005 10:40:21 PM

well it could be MyDoom but I doubt it...

Since you said that it happened immediately upon login unto NOMAD and the fact that ip is a NOMAD server lend heavily to the fact that it's part of the authentication process.
ece% nslookup 152.7.232.44
Server: ns5.ncsu.edu
Address: 152.1.1.248

Name: nom3775it.nomadic.ncsu.edu
Address: 152.7.232.44


Windows uses a lot of ports around 1024~1048 or so as dynamic (non-IANA registered) ports for internal windows services including a lot of SMB/NetBIOS/Browser type communications. Winlogon.exe listens on 1043/.


It's not like Windows CHOSE to use a trojan port....I mean which came first bright fella? Windows or the trojan. Basically the trojan writers chose a port that is in a range commonly used in an attempt to hide it, if they had picked 31337 or 65535, some halfwitted admin may notice it much quicker than if it uses a port that is within a heavily used range.

8/18/2005 10:42:41 PM

there are plenty of trojans that listen on common ports like 80, 8080, 21, etc. That doesn't mean that legitimate services that have always used those ports should move to another port.

8/18/2005 10:47:38 PM

Quote :

"there are plenty of trojans that listen on common ports like 80, 8080, 21, etc. That doesn't mean that legitimate services that have always used those ports should move to another port."

is 1042 a common port like port 80 itself? Seems to me that if you've got a not so widely distributed app that relies on a port and someone uses that port for a trojan you should change the port you use...

what university app was likely trying to use that port, then? why would NAV report it as a trojan if it were simply a legit app trying to use that port? does NAV just watch that port like a hawk by default, or what?

8/19/2005 8:07:21 AM

31337 is the best Trojan port evar

8/19/2005 8:19:33 AM

Quote :

"is 1042 a common port like port 80 itself? Seems to me that if you've got a not so widely distributed app that relies on a port and someone uses that port for a trojan you should change the port you use... what university app was likely trying to use that port, then? why would NAV report it as a trojan if it were simply a legit app trying to use that port? does NAV just watch that port like a hawk by default, or what?"

port-based signatures (like this BLA trojan one) just suck. It is a fact of life. NAV sees a probe on that port, it looks through its list of known trojan ports, matches it, and fires an alert.

If a company goes through the motions to officially register their port with IANA, then some jackass decides to use it for a trojan that has infected 20 machines on the Internet, why the hell should the company abandon that port, change their code/firmware/etc, push out patches, notify customers, register another port with IANA, etc.? I don't think so.

Nomad is likely utilizing Fortress products that are using 1042/udp for the authentication/access control to sign on.

It is normal, ignore it.

8/19/2005 12:53:37 PM