[Snort-users] FW: SNORT: snort.alert.2000.11.24.03.00
jan at ...206...
Fri Nov 24 10:50:48 EST 2000
> Anyone have ANY idea about what these guys were looking for? 109 appears to
> be POP2, but are there really any hosts out there still running it? And why
> the need for both the source and the destination port 109? Also, notice how
> the Seq and Ack numbers are paired...
Although Lance Spitzner is the No. 1 "Guess What Tool" guy, I'd
guess it's synscan by psychoid:
A guy called Joe Stewart has found out the "mystery tool No.11"
is probably this little thing-o.
Some remarks are:
source port == dest port
ID appears to be always 39426
Win size always 404 hex ( I really wonder whether that's supposed
to be a joke...)
I've seen a couple of those from 21 to 21 and found out the boxes
the scans came from were cracked using the (guess what) oh so
31337 wuftpd exploit.
I haven't verified the pattern yet, since synscan appears to only
compile under Linux so far, which I don't really fancy ;o))
Someone with a bit more time and quicker C skills could just port
it for kicks.
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...
More information about the Snort-users