See: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs
NetController 123/tcp #[trojan] Net Controller NetController 123/tcp #[trojan] Net Controller ntp 123/tcp #Network Time Protocol ntp 123/udp #Network Time Protocol
The obvious is ntp; which I use myself to syncronize system times on four Linux boxes; see: http://www.eecis.udel.edu/~mills/ntp.htm
To quote:
"The Network Time Protocol (NTP) is widely used in the Internet to synchronize computer clocks to national standard time. The NTP architecture, protocol and algorithms have evolved well over two decades to the NTP Version 3 specification and implementations for Unix, VMS and Windows, as well as the NTP Version 4 implementation now being deployed. The architecture and security models provide for operation in point-to-point (unicast) and point-to-multipoint (multicast) modes, and include provisions for secure authentication using both symmetric key and public key cryptography."
Name: Net Controller
Aliases:
Ports: 123, 6969 (ports can be changed)
Files: Netcontroller.zip - 614,439 bytes
Netcontroller2000.zip - 719,774 bytes
Netctrlr.exe - 314,368 bytes
Netctrlr.exe - 374,272 bytes
Netsrvr.exe - 306,688 bytes
Netsrvr.exe - 351,232 bytes
System.exe - Config.ini - 4,087 bytes
Config.ini - 3,633 bytes
Created: July 1999
Requires:
Actions: Remote Access / Keylogger / FTP server
The client is similar to the older versions of NetBus.
Versions: 1.08, 2000,
Registers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run\
Notes: Works on Windows 95, 98, ME and NT.
Country: written in Brazil
So here's what I saw, trying to connect to *me*
snort2html.plx Mar 12 20:04:08 - snort [1:0:0] TCP to 123 ntp Source IP: 211.184.140.152 Source port: 2310 Source host: 211.184.140.152 Target IP: 12.82.141.8 Target port: 123 Proto: TCP Target host: 8.seattle-15-20rs.wa.dial-access.att.net snort packet capture: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/12-20:04:08.441571 211.184.140.152:2310 -> 12.82.141.8:123 TCP TTL:42 TOS:0x0 ID:54713 IpLen:20 DgmLen:60 DF ******S* Seq: 0xFE8C9E93 Ack: 0x0 Win: 0x7D78 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 78715899 0 NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ TTL decrement from 64 = Linux, OpenBSD, AIX Win size = 0x7d78 = Linux TCP options = 5 = MSS, Timestamps, SAckOK, wscale, 1 nop = Linux SYN packet length = 60 = Linux
Whois they?
BW whois 2.9 by Bill Weinman (http://whois.bw.org/) © 1999-2001 William E. Weinman Request: 211.184.140.152 connecting to whois.arin.net [192.149.252.22:43] ... connecting to WHOIS.APNIC.NET [202.12.29.13:43] ... % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html % (whois6.apnic.net) inetnum: 211.172.0.0 - 211.199.255.255 netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center country: KR admin-c: HM127-AP tech-c: HM127-AP remarks: ****************************************** remarks: KRNIC is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the KRNIC Whois DB remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** # ENGLISH IP Address : 211.184.140.128-211.184.140.191 Network Name : BOSUNG-GMS Connect ISP Name : PUBNET Connect Date : 20001115 Registration Date : 20001127 [ Organization Information ] Orgnization ID : ORG148929 Org Name : BOSUNG GIRL MIDDLE SCHOOL State : CHONNAM Address : 295-3 USANRI BOSEONGEUB BOSEONGKUN Zip Code : 546-800 [ Admin Contact Information] Name : Jungsool Jung Org Name : BOSUNG GIRL MIDDLE SCHOOL State : CHONNAM Address : 295-3 USANRI BOSEONGEUB BOSEONGKUN Zip Code : 546-800 Phone : +82-61-751-0073 Fax : +82-61-751-0073 E-Mail : jeonnam3@soback.kornet.net [ Technical Contact Information ] Name : Jungsool Jung Org Name : BOSUNG GIRL MIDDLE SCHOOL State : CHONNAM Address : 295-3 USANRI BOSEONGEUB BOSEONGKUN Zip Code : 546-800 Phone : +82-61-751-0073 Fax : +82-61-751-0073 E-Mail : jeonnam3@soback.kornet.net