[Snort-users] Odd packets... maybe a new Trojan?

Steve Halligan agent33 at ...187...
Wed Oct 25 14:47:44 EDT 2000


I have gotten this scan from 5 different sources over 3 different sensors
between 9/8/2000 and 10/20/2000.  What is up with all this activity?

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...421...]
> Sent: Wednesday, October 25, 2000 10:11 AM
> To: Joe Matusiewicz
> Cc: Tom Whipp; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Odd packets... maybe a new Trojan?
> 
> 
> I actually got scanned for the same thing (SYN FIN) 10 days ago from a
> BellSouth address.  Charming.
> 
> [From portscan.log]:
> Oct 15 21:32:26 208.62.23.150:9704 -> 
> my.home.address.foo:9704 SYNFIN **SF**** 
> 
>     -Marty
> 
> Joe Matusiewicz wrote:
> > 
> > At 05:06 AM 10/25/00, Tom Whipp wrote:
> > >Hi all,
> > >
> > >         I got scanned last night, but I haven't the 
> faintest idea what this
> > >signature represents... about half the hosts in my subnet 
> got the following
> > >packets allegedly from an Iranian university network.
> > >
> > >Source/Dest port        9704
> > >ID                      39426
> > >Ack                     0x7A019CB1
> > >
> > >Given that the ID and ack are identical in all packets it 
> doesn't look like
> > >a vanilla port scan, so my guess is that this represents 
> the initial stage
> > >of a Trojan client/server connection... but of course 
> that's complete
> > >conjecture.
> > >
> > >I've tried to check whitehats but can get in, I've done 
> some general web
> > >searches but can't find anything and I've taken a look in 
> the 10102k.rules
> > >file but it doesn't seem to have any equivalent rule.
> > >
> > >any thoughts?
> > >
> > >         Tom
> > >
> > >PS:
> > >
> > >Here is an extract from my logs... not sure if it will 
> tell you anything
> > >more than above but it seems worth a shot.
> > >
> > >[**] SCAN-SYN FIN [**]
> > >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
> > >TCP TTL:21 TOS:0x0 ID:39426
> > >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
> > >
> > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > 
> > I've seen four of these about two weeks ago.  It seems to 
> be the port used
> > for a backdoor installed by an rpc.statd exploit, the name 
> of which escapes
> > me right now.  Someone is looking for hosts that respond on this odd
> > port.  Some IDSs may be fooled by SYN/FIN scans, but this 
> is in the snort
> > rules because you can bet the mortgage that if SYN/FIN 
> packets are coming
> > your way, someone is up to no good.
> > 
> > -- Joe
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> -- 
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001025/8a5f4197/attachment.html>


More information about the Snort-users mailing list