[Snort-users] Odd packets... maybe a new Trojan?

Joe Matusiewicz joem at ...692...
Wed Oct 25 09:00:05 EDT 2000


At 05:06 AM 10/25/00, Tom Whipp wrote:
>Hi all,
>
>         I got scanned last night, but I haven't the faintest idea what this
>signature represents... about half the hosts in my subnet got the following
>packets allegedly from an Iranian university network.
>
>Source/Dest port        9704
>ID                      39426
>Ack                     0x7A019CB1
>
>Given that the ID and ack are identical in all packets it doesn't look like
>a vanilla port scan, so my guess is that this represents the initial stage
>of a Trojan client/server connection... but of course that's complete
>conjecture.
>
>I've tried to check whitehats but can get in, I've done some general web
>searches but can't find anything and I've taken a look in the 10102k.rules
>file but it doesn't seem to have any equivalent rule.
>
>any thoughts?
>
>         Tom
>
>PS:
>
>Here is an extract from my logs... not sure if it will tell you anything
>more than above but it seems worth a shot.
>
>[**] SCAN-SYN FIN [**]
>10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
>TCP TTL:21 TOS:0x0 ID:39426
>**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I've seen four of these about two weeks ago.  It seems to be the port used 
for a backdoor installed by an rpc.statd exploit, the name of which escapes 
me right now.  Someone is looking for hosts that respond on this odd 
port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the snort 
rules because you can bet the mortgage that if SYN/FIN packets are coming 
your way, someone is up to no good.

-- Joe




More information about the Snort-users mailing list