On 29 Jul 2009, at 08:29, Mohacsi Janos <mohacsi@niif.hu> wrote:
On Tue, 28 Jul 2009, Iljitsch van Beijnum wrote:Anyway the bots are preferring some exotic port numbers or portnumber that is usually not firewalled: 80 and 443.If a bot wants to receive incoming traffic on those ports it would have to signal the CPE that it wants to be de-firewalled for those ports.(Not that malware spreads by listening on those ports, listening on ports is _so_ 2003.)Yes we are talking the same. Bots are usually dropped to compromised webservers to provide spreading points
In a campus/managed network we default block port 80 outbound from web servers for this reason... we wouldn't want the option for the host/ server to undo this.
A SOHO enviroment may - or may not - be different. Another example might be the classic port 25 smtp outbound filtering.