[Snort-users] Odd packets... maybe a new Trojan?

Yonah Russ yonah at ...569...
Wed Oct 25 14:44:54 EDT 2000


chalk one up for chinanet.cn.net- I got this a almost a month ago but I
didn't find any info on a port 9704 backdoor. I didn't have anything
running there so I sent off an annoyed letter to their technical contact
and forgot about it until I saw your messages.


[**] SCAN-SYN FIN [**]
10/01-14:35:38.066724 202.106.169.212:9704 -> xxx.xxx.xxx.xxx:9704
TCP TTL:28 TOS:0x0 ID:39426 
**SF**** Seq: 0x7A24C1D1   Ack: 0x4080EAB4   Win: 0x404
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

On Wed, 25 Oct 2000, Martin Roesch wrote:

> I actually got scanned for the same thing (SYN FIN) 10 days ago from a
> BellSouth address.  Charming.
> 
> [From portscan.log]:
> Oct 15 21:32:26 208.62.23.150:9704 -> my.home.address.foo:9704 SYNFIN **SF**** 
> 
>     -Marty
> 
> Joe Matusiewicz wrote:
> > 
> > At 05:06 AM 10/25/00, Tom Whipp wrote:
> > >Hi all,
> > >
> > >         I got scanned last night, but I haven't the faintest idea what this
> > >signature represents... about half the hosts in my subnet got the following
> > >packets allegedly from an Iranian university network.
> > >
> > >Source/Dest port        9704
> > >ID                      39426
> > >Ack                     0x7A019CB1
> > >
> > >Given that the ID and ack are identical in all packets it doesn't look like
> > >a vanilla port scan, so my guess is that this represents the initial stage
> > >of a Trojan client/server connection... but of course that's complete
> > >conjecture.
> > >
> > >I've tried to check whitehats but can get in, I've done some general web
> > >searches but can't find anything and I've taken a look in the 10102k.rules
> > >file but it doesn't seem to have any equivalent rule.
> > >
> > >any thoughts?
> > >
> > >         Tom
> > >
> > >PS:
> > >
> > >Here is an extract from my logs... not sure if it will tell you anything
> > >more than above but it seems worth a shot.
> > >
> > >[**] SCAN-SYN FIN [**]
> > >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
> > >TCP TTL:21 TOS:0x0 ID:39426
> > >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
> > >
> > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > 
> > I've seen four of these about two weeks ago.  It seems to be the port used
> > for a backdoor installed by an rpc.statd exploit, the name of which escapes
> > me right now.  Someone is looking for hosts that respond on this odd
> > port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the snort
> > rules because you can bet the mortgage that if SYN/FIN packets are coming
> > your way, someone is up to no good.
> > 
> > -- Joe
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> 

-- 
Email:		<yonah at ...570...>
Hompage:	<http://p-yonah.jct.ac.il/>
PGP:            0x7C3C2524 <ldap://certserver.pgp.com>

"Quote me as saying I was misquoted."
				--Groucho Marx





More information about the Snort-users mailing list