[Snort-users] Odd packets... maybe a new Trojan?
joem at ...692...
Wed Oct 25 09:00:05 EDT 2000
At 05:06 AM 10/25/00, Tom Whipp wrote:
> I got scanned last night, but I haven't the faintest idea what this
>signature represents... about half the hosts in my subnet got the following
>packets allegedly from an Iranian university network.
>Source/Dest port 9704
>Given that the ID and ack are identical in all packets it doesn't look like
>a vanilla port scan, so my guess is that this represents the initial stage
>of a Trojan client/server connection... but of course that's complete
>I've tried to check whitehats but can get in, I've done some general web
>searches but can't find anything and I've taken a look in the 10102k.rules
>file but it doesn't seem to have any equivalent rule.
>Here is an extract from my logs... not sure if it will tell you anything
>more than above but it seems worth a shot.
>[**] SCAN-SYN FIN [**]
>10/24-18:40:33.351849 18.104.22.168:9704 -> xxx.xxx.xxx.1:9704
>TCP TTL:21 TOS:0x0 ID:39426
>**SF**** Seq: 0x263B3402 Ack: 0x7A019CB1 Win: 0x404
I've seen four of these about two weeks ago. It seems to be the port used
for a backdoor installed by an rpc.statd exploit, the name of which escapes
me right now. Someone is looking for hosts that respond on this odd
port. Some IDSs may be fooled by SYN/FIN scans, but this is in the snort
rules because you can bet the mortgage that if SYN/FIN packets are coming
your way, someone is up to no good.
More information about the Snort-users