[Snort-users] Fw: TCP Port 9704 Scans

DmuZ DmuZ at ...324...
Wed Nov 29 14:09:37 EST 2000


FYI.. an advisory I sent to incidents at ...884... about this activity.

DmuZ

----- Original Message -----
From: DmuZ <DmuZ at ...885...>
To: <INCIDENTS at ...220...>
Sent: Thursday, October 26, 2000 1:12 PM
Subject: TCP Port 9704 Scans


| Hello all,
|
| I gathered much of the following information from a number of users on the
| Snort mailing list (www.snort.org).
|
| We came to realize that there have been massive port scans from a number
of
| IPs (one user reported over 30,000 connects to his network) attempting to
| connect to port 9704. This seems to be am attempt to locate backdoors
| installed via the recent rpc.statd exploit
| (http://www.cert.org/advisories/CA-2000-17.html), which by default adds a
| root shell to this port.
|
|
| Here is a paste of packet info from Snort:
|
| [**] SCAN-SYN FIN [**]
| 10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704
| TCP TTL:24 TOS:0x0 ID:39426
| ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404
|
| There are also many incidents of this reported at
| http://www.sans.org/giac.htm
|
|
| DmuZ
| ----------------------------------------------------------------
| perl -e '$_=q/bill at ...886...$oft.com/; \
| s/bill/dmuz/;s/micro/angry/; \
| s/\$oft/packet/;print $_."\n"'
| ----------------------------------------------------------------
|





More information about the Snort-users mailing list