Security Incidents mailing list archives
Those sport==dport, SF scans
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Mon, 6 Nov 2000 11:12:06 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 H D Moore writes (under "Wide Spread TCP 21 -> 21 (SF) Sweep"):
I am noticing what must be a HUGE FTP scan going on, as two completely unrelated networks saw the same thing about an 10 hours apart.
..and A.L.Lambert writes (under "Port 109 scanning");
I'm curious if anyone else has been getting port 109 SYN/FIN scan's lately? (src 109 -> dst 109).
If I was a bettin' man, I'd wager either of y'all that if you look at the IP ID of the packets in question you'll see that they're all set to 0x9a02 (decimal 39426). It sounds like one of the patterns I asked about back in August (in a message called `Putting names to faces'). I've seen many references to traffic that matches this description, but haven't seen anyone identify the tool that's being used to generate it. I've been identifying it (in the signatures I use myself) as `Mystery Tool 11', but I'd still like to be able to attach a somewhat more meaningful label. It occurs to me that it would be pretty useful if there was a person or organisation maintained a sort of spotter's guide to scan tools/remote exploits/trojans/whatever. By this I mean actively seeking out these tools to study and report on them---most signature databases and suchlike that are currently out there seem more geared toward reporting on activity (analysing effects) rather than the tools themselves (analysing causes). Also, most of 'em seem to be reasonably narrowly targeted at the users of particular [N]IDSes. Another thing occurs to me, and that's that by the time I get around to thinking of something that might be useful, someone else (and usualy several other people) have already thought of it. So---does anyone know of a project such as the one I describe? - -Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6BwJOG3kIaxeRZl8RAr9VAKDZCsEHHgFKYfaGEZQtsDRHVYf/egCfUoLY Gd2opf4fF3WAd84iNgtQs2Y= =xphA -----END PGP SIGNATURE-----
Current thread:
- Wide Spread TCP 21 -> 21 (SF) Sweep H D Moore (Nov 06)
- Those sport==dport, SF scans Stephen P. Berry (Nov 08)