[Snort-users] Odd packets... maybe a new Trojan?

DmuZ DmuZ at ...496...
Wed Oct 25 18:51:44 EDT 2000


I received the same scan... also from a BellSouth adsl IP. Did not think
nuch of it at the time.. seeing as how port 9704 is closed.

Here is a paste from snortsnarf...

[**] SCAN-SYN FIN [**]
10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404

Perhaps we should alert incidents at ...35... to see how widespread
this is?

IMHO, this appears to be someone looking for a backdoor/rootkit that is set
up to run on 9704... maybe they know of a backdoor in the backdoor??? After
all how many script kiddes actually look at all that C code before they use
a root kit?

DmuZ

----- Original Message -----
From: Martin Roesch <roesch at ...421...>
To: Joe Matusiewicz <joem at ...692...>
Cc: Tom Whipp <twhipp at ...63...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, October 25, 2000 8:11 AM
Subject: Re: [Snort-users] Odd packets... maybe a new Trojan?


| I actually got scanned for the same thing (SYN FIN) 10 days ago from a
| BellSouth address.  Charming.
|
| [From portscan.log]:
| Oct 15 21:32:26 208.62.23.150:9704 -> my.home.address.foo:9704 SYNFIN
**SF****
|
|     -Marty
|
| Joe Matusiewicz wrote:
| >
| > At 05:06 AM 10/25/00, Tom Whipp wrote:
| > >Hi all,
| > >
| > >         I got scanned last night, but I haven't the faintest idea what
this
| > >signature represents... about half the hosts in my subnet got the
following
| > >packets allegedly from an Iranian university network.
| > >
| > >Source/Dest port        9704
| > >ID                      39426
| > >Ack                     0x7A019CB1
| > >
| > >Given that the ID and ack are identical in all packets it doesn't look
like
| > >a vanilla port scan, so my guess is that this represents the initial
stage
| > >of a Trojan client/server connection... but of course that's complete
| > >conjecture.
| > >
| > >I've tried to check whitehats but can get in, I've done some general
web
| > >searches but can't find anything and I've taken a look in the
10102k.rules
| > >file but it doesn't seem to have any equivalent rule.
| > >
| > >any thoughts?
| > >
| > >         Tom
| > >
| > >PS:
| > >
| > >Here is an extract from my logs... not sure if it will tell you
anything
| > >more than above but it seems worth a shot.
| > >
| > >[**] SCAN-SYN FIN [**]
| > >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
| > >TCP TTL:21 TOS:0x0 ID:39426
| > >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
| > >
| > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| >
| > I've seen four of these about two weeks ago.  It seems to be the port
used
| > for a backdoor installed by an rpc.statd exploit, the name of which
escapes
| > me right now.  Someone is looking for hosts that respond on this odd
| > port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the
snort
| > rules because you can bet the mortgage that if SYN/FIN packets are
coming
| > your way, someone is up to no good.
| >
| > -- Joe
| >
| > _______________________________________________
| > Snort-users mailing list
| > Snort-users at lists.sourceforge.net
| > http://lists.sourceforge.net/mailman/listinfo/snort-users
|
| --
| Martin Roesch
| roesch at ...421...
| http://www.snort.org
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| http://lists.sourceforge.net/mailman/listinfo/snort-users
|




More information about the Snort-users mailing list