[Snort-users] Odd packets... maybe a new Trojan?

Martin Roesch roesch at ...421...
Wed Oct 25 11:11:13 EDT 2000


I actually got scanned for the same thing (SYN FIN) 10 days ago from a
BellSouth address.  Charming.

[From portscan.log]:
Oct 15 21:32:26 208.62.23.150:9704 -> my.home.address.foo:9704 SYNFIN **SF**** 

    -Marty

Joe Matusiewicz wrote:
> 
> At 05:06 AM 10/25/00, Tom Whipp wrote:
> >Hi all,
> >
> >         I got scanned last night, but I haven't the faintest idea what this
> >signature represents... about half the hosts in my subnet got the following
> >packets allegedly from an Iranian university network.
> >
> >Source/Dest port        9704
> >ID                      39426
> >Ack                     0x7A019CB1
> >
> >Given that the ID and ack are identical in all packets it doesn't look like
> >a vanilla port scan, so my guess is that this represents the initial stage
> >of a Trojan client/server connection... but of course that's complete
> >conjecture.
> >
> >I've tried to check whitehats but can get in, I've done some general web
> >searches but can't find anything and I've taken a look in the 10102k.rules
> >file but it doesn't seem to have any equivalent rule.
> >
> >any thoughts?
> >
> >         Tom
> >
> >PS:
> >
> >Here is an extract from my logs... not sure if it will tell you anything
> >more than above but it seems worth a shot.
> >
> >[**] SCAN-SYN FIN [**]
> >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
> >TCP TTL:21 TOS:0x0 ID:39426
> >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
> >
> >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> I've seen four of these about two weeks ago.  It seems to be the port used
> for a backdoor installed by an rpc.statd exploit, the name of which escapes
> me right now.  Someone is looking for hosts that respond on this odd
> port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the snort
> rules because you can bet the mortgage that if SYN/FIN packets are coming
> your way, someone is up to no good.
> 
> -- Joe
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list