[Snort-users] Odd packets... maybe a new Trojan?

Thayne thayne_a at ...125...
Wed Oct 25 10:51:19 EDT 2000


I've seen a few of these scans myself, so I looked into it.

I did find this:

http://www.cert.org/advisories/CA-2000-17.html

I think it's the exploit Joe was referring to.

-Thayne



----- Original Message -----
From: "Martin Roesch" <roesch at ...421...>
To: "Joe Matusiewicz" <joem at ...692...>
Cc: "Tom Whipp" <twhipp at ...63...>;
<snort-users at lists.sourceforge.net>
Sent: Wednesday, October 25, 2000 10:11 AM
Subject: Re: [Snort-users] Odd packets... maybe a new Trojan?


> I actually got scanned for the same thing (SYN FIN) 10 days ago from a
> BellSouth address.  Charming.
>
> [From portscan.log]:
> Oct 15 21:32:26 208.62.23.150:9704 -> my.home.address.foo:9704 SYNFIN
**SF****
>
>     -Marty
>
> Joe Matusiewicz wrote:
> >
> > At 05:06 AM 10/25/00, Tom Whipp wrote:
> > >Hi all,
> > >
> > >         I got scanned last night, but I haven't the faintest idea what
this
> > >signature represents... about half the hosts in my subnet got the
following
> > >packets allegedly from an Iranian university network.
> > >
> > >Source/Dest port        9704
> > >ID                      39426
> > >Ack                     0x7A019CB1
> > >
> > >Given that the ID and ack are identical in all packets it doesn't look
like
> > >a vanilla port scan, so my guess is that this represents the initial
stage
> > >of a Trojan client/server connection... but of course that's complete
> > >conjecture.
> > >
> > >I've tried to check whitehats but can get in, I've done some general
web
> > >searches but can't find anything and I've taken a look in the
10102k.rules
> > >file but it doesn't seem to have any equivalent rule.
> > >
> > >any thoughts?
> > >
> > >         Tom
> > >
> > >PS:
> > >
> > >Here is an extract from my logs... not sure if it will tell you
anything
> > >more than above but it seems worth a shot.
> > >
> > >[**] SCAN-SYN FIN [**]
> > >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
> > >TCP TTL:21 TOS:0x0 ID:39426
> > >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
> > >
> > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > I've seen four of these about two weeks ago.  It seems to be the port
used
> > for a backdoor installed by an rpc.statd exploit, the name of which
escapes
> > me right now.  Someone is looking for hosts that respond on this odd
> > port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the
snort
> > rules because you can bet the mortgage that if SYN/FIN packets are
coming
> > your way, someone is up to no good.
> >
> > -- Joe
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>



More information about the Snort-users mailing list