[Snort-users] Odd packets... maybe a new Trojan?

Martin Roesch roesch at ...421...
Wed Oct 25 21:50:56 EDT 2000


I'd probably think about sending a combined report to intrusion at ...695... as
well as incidents.  Hmm, maybe we should think about a Snort-detects list or
something... :)

     -Marty


DmuZ wrote:
> 
> I received the same scan... also from a BellSouth adsl IP. Did not think
> nuch of it at the time.. seeing as how port 9704 is closed.
> 
> Here is a paste from snortsnarf...
> 
> [**] SCAN-SYN FIN [**]
> 10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404
> 
> Perhaps we should alert incidents at ...35... to see how widespread
> this is?
> 
> IMHO, this appears to be someone looking for a backdoor/rootkit that is set
> up to run on 9704... maybe they know of a backdoor in the backdoor??? After
> all how many script kiddes actually look at all that C code before they use
> a root kit?
> 
> DmuZ
> 
> ----- Original Message -----
> From: Martin Roesch <roesch at ...421...>
> To: Joe Matusiewicz <joem at ...692...>
> Cc: Tom Whipp <twhipp at ...63...>; <snort-users at lists.sourceforge.net>
> Sent: Wednesday, October 25, 2000 8:11 AM
> Subject: Re: [Snort-users] Odd packets... maybe a new Trojan?
> 
> | I actually got scanned for the same thing (SYN FIN) 10 days ago from a
> | BellSouth address.  Charming.
> |
> | [From portscan.log]:
> | Oct 15 21:32:26 208.62.23.150:9704 -> my.home.address.foo:9704 SYNFIN
> **SF****
> |
> |     -Marty
> |
> | Joe Matusiewicz wrote:
> | >
> | > At 05:06 AM 10/25/00, Tom Whipp wrote:
> | > >Hi all,
> | > >
> | > >         I got scanned last night, but I haven't the faintest idea what
> this
> | > >signature represents... about half the hosts in my subnet got the
> following
> | > >packets allegedly from an Iranian university network.
> | > >
> | > >Source/Dest port        9704
> | > >ID                      39426
> | > >Ack                     0x7A019CB1
> | > >
> | > >Given that the ID and ack are identical in all packets it doesn't look
> like
> | > >a vanilla port scan, so my guess is that this represents the initial
> stage
> | > >of a Trojan client/server connection... but of course that's complete
> | > >conjecture.
> | > >
> | > >I've tried to check whitehats but can get in, I've done some general
> web
> | > >searches but can't find anything and I've taken a look in the
> 10102k.rules
> | > >file but it doesn't seem to have any equivalent rule.
> | > >
> | > >any thoughts?
> | > >
> | > >         Tom
> | > >
> | > >PS:
> | > >
> | > >Here is an extract from my logs... not sure if it will tell you
> anything
> | > >more than above but it seems worth a shot.
> | > >
> | > >[**] SCAN-SYN FIN [**]
> | > >10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
> | > >TCP TTL:21 TOS:0x0 ID:39426
> | > >**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404
> | > >
> | > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> | >
> | > I've seen four of these about two weeks ago.  It seems to be the port
> used
> | > for a backdoor installed by an rpc.statd exploit, the name of which
> escapes
> | > me right now.  Someone is looking for hosts that respond on this odd
> | > port.  Some IDSs may be fooled by SYN/FIN scans, but this is in the
> snort
> | > rules because you can bet the mortgage that if SYN/FIN packets are
> coming
> | > your way, someone is up to no good.
> | >
> | > -- Joe
> | >
> | > _______________________________________________
> | > Snort-users mailing list
> | > Snort-users at lists.sourceforge.net
> | > http://lists.sourceforge.net/mailman/listinfo/snort-users
> |
> | --
> | Martin Roesch
> | roesch at ...421...
> | http://www.snort.org
> | _______________________________________________
> | Snort-users mailing list
> | Snort-users at lists.sourceforge.net
> | http://lists.sourceforge.net/mailman/listinfo/snort-users
> |
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list