Security Incidents mailing list archives

RE: port 9274?

From: "Royans Tharakan" <RTharakan () ingenuity com>
Date: Fri, 28 Dec 2001 13:09:44 -0800

This is not new. There has been a logged incident dated Dec 11th.
http://www.incidents.org/diary.php?id=115

http://keir.net/attacklist.html
This link talks about a probable "BackGate" Rootkit installed on this
port.
The systems with this rootkit installed had this port open for
listenning

http://cert.uni-stuttgart.de/archive/incidents/2001/02/msg00355.html
This link talks about a rootkit of some sort installing wingate3.0 as
MMtask.exe which listens on this port.

If you send me more dumps I'll try to do more analysis. Raw tcpdump dump
would be extreemly helpfull.

regards,
Royans


-----Original Message-----
From: John Kinsella [mailto:jlk () thrashyour com]
Sent: Friday, December 28, 2001 8:58 AM
To: incidents () securityfocus com
Subject: port 9274?


Anybody got an idea of what this might be?  I've seen it on a few of my
IDS sensors this morning:

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.3400 [**]
12/28-08:06:06.702394 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274
TCP TTL:115 TOS:0x0 ID:14182 IpLen:20 DgmLen:48 DF
******S* Seq: 0x201AC3D4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.2908 [**]
12/28-08:06:09.511201 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274
TCP TTL:115 TOS:0x0 ID:14500 IpLen:20 DgmLen:48 DF
******S* Seq: 0x201AC3D4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

Quick look around the various sites doesn't seem to indicate much
knowledge about a service running on 9274.  Source port seems to change
for each destination IP, and probes each IP twice about 3 seconds apart.

John

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

port 9274? John Kinsella (Dec 28)
- <Possible follow-ups>
- RE: port 9274? Royans Tharakan (Dec 29)