Security Incidents mailing list archives
Re: Correlated Scans to Ports 27374 and 1243 (SubSeven)
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Thu, 18 Jan 2001 21:39:43 -0500
"Stephen P. Berry" <spb () MESHUGGENEH NET> writes:
For the past week or so, I've been observing what appears to be a new scan pattern. Short summary: -A scan through an address range against port 27374 -A scan through the same address range against port 1234 -The second scan starts within a couple seconds of the end of the first scan -Scans originate from different networks Here's some sample traffic. In this example, both scans apparently originate from ISPs. Of course the interesting thing isn't that there were two scans from addresses owned by ISPs---that's hardly a record. The interesting thing is that the two scan originate from different networks and appear to be coordinated.
I've not seen this exactly (not managing a whole netblock but just my own machine). What I have seen is what looks like two coordinated scans both to port 27374. (I usually get about 8-10 connections a day on this port; therefore, when I get two connection attempts from different networks within five seconds of each other, I get suspicious) As you know, ports 27374 and 1243 are the default ports of the windows trojan horse subseven. I have my machine running a rather crude subseven honeypot on those ports; one of the things that was quite common last month (though I haven't seen it this month - maybe it's time to make my honeypot more sophisticated) was for people to connect, give the standard subseven backdoor password, and then give a command for my subseven to upgrade itself from some url or another. Anyway, what I saw at least twice last month (out of about 5 distinct "upgrade from this URL" requests) was that I would get these upgrade requests one right after another; this is too much coincidence. Once, I had forty different connections come in in less than one minute, all requesting upgrades from the same URL (and all from different machines). This makes me think that there exist tools for people who own some machines via subseven to probe for more such machines. One interesting thing to note is that occasionally the two URLs given are different; I'm not sure what to make of this. (Some kind of haxor war, with one scan following closely on the heels of another so that the machine is left in the control of the second scanner? I don't know) Another pattern I've noticed is that one machine will only connect and disconnect without sending anything, and then the second machine will connect and send the subseven backdoor password. However, this doesn't sound like what you're looking at (since presumably the second machine wouldn't connect if the first hadn't been able to).
Current thread:
- Correlated Scans to Ports 27374 and 1243 (SubSeven) Stephen P. Berry (Jan 18)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Daniel Martin (Jan 18)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Ryan Sweat (Jan 19)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Daniel Martin (Jan 18)