[Snort-users] FW: SNORT: snort.alert.2000.

Jan Muenther jan at ...206...
Fri Nov 24 10:50:48 EST 2000

Hello there,

> Anyone have ANY idea about what these guys were looking for?  109 appears to
> be POP2, but are there really any hosts out there still running it?  And why
> the need for both the source and the destination port 109?  Also, notice how
> the Seq and Ack numbers are paired...

Although Lance Spitzner is the No. 1 "Guess What Tool" guy, I'd
guess it's synscan by psychoid:


A guy called Joe Stewart has found out the "mystery tool No.11"
is probably this little thing-o.
Some remarks are:

source port == dest port
ID appears to be always 39426
always SYN-FIN
Win size always 404 hex ( I really wonder whether that's supposed
to be a joke...)

I've seen a couple of those from 21 to 21 and found out the boxes
the scans came from were cracked using the (guess what) oh so
31337 wuftpd exploit. 

I haven't verified the pattern yet, since synscan appears to only
compile under Linux so far, which I don't really fancy ;o))
Someone with a bit more time and quicker C skills could just port
it for kicks.

Cheers, Jan
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list