[Snort-users] Odd packets... maybe a new Trojan?

Lance Spitzner lance at ...185...
Wed Oct 25 08:47:32 EDT 2000

Based on your packet capture,  we can be certain that these
are crafted packets and NOT random network traffic :)

The scan you see below may be an Individual looking for a backdoor
or Trojan.  Perhaps he knows of a 'black-hat' application that he
or someone else created/modified that listens on that port.  Perhaps
he is trying to find a system listening on that port.  In my opinion,
it is NOT worth trying to find out exactly what service port 9704 is.
It is FAR to easy for the badguys to modify default ports, so it really
could be anything.

If you are really curious and must know, fire up netcat on a sacrificial
ssytem listening on this port, then capture the data payload when he connects.


On Wed, 25 Oct 2000, Tom Whipp wrote:

> 	I got scanned last night, but I haven't the faintest idea what this
> signature represents... about half the hosts in my subnet got the following
> packets allegedly from an Iranian university network.
> Source/Dest port	9704
> ID			39426
> Ack			0x7A019CB1
> Given that the ID and ack are identical in all packets it doesn't look like
> a vanilla port scan, so my guess is that this represents the initial stage
> of a Trojan client/server connection... but of course that's complete
> conjecture.
> I've tried to check whitehats but can get in, I've done some general web
> searches but can't find anything and I've taken a look in the 10102k.rules
> file but it doesn't seem to have any equivalent rule.
> any thoughts?

More information about the Snort-users mailing list