Security Incidents mailing list archives
Re: Trojan of somesort - Update
From: Pho Man <ph0k1n () yahoo com>
Date: Thu, 27 May 2004 11:25:24 -0700 (PDT)
Hi all, For what's it's worth, I too have found that ports are largely random, but every once in a while, I catch a machine that has a well-known bad port open. I found 31337 running on a certain machine once just a couple months ago. However, with ServU-FTP stuff, it's almost always random, so as Paul Schmehl suggested, we monitor traffic using NTop on a Linux box, and that catches machines with suspicious activity fairly well. I still like to scan the network using X-scan (since it's fairly fast) just to be sure. But that's just me. :) Anyhow, I too have found machines that were hacked by warez hackers, but had yet to store any files. Usually it seems that the machine takes almost a week or two for files to get uploaded to it. If we catch machines fairly early, then they have the tools (ServU or IOftpd) running, but are otherwise empty. Must be quite a successful franchise, or otherwise hackers wouldn't hack so many machines at once. :p --The Pho Man --- Paul Schmehl <pauls () utdallas edu> wrote:
--On Thursday, May 27, 2004 02:58:56 PM +0000 Bob the Builder <builder173 () hotmail com> wrote:Other than the ServU files and some sort of crudelooking port scanner sofar I haven't been able to find anything else.This is not surprising. It's been my experience that boxes that get "tagged" (i.e. set up as ftp sites for warez) get hacked by automated scripts and later get filled up with warez. It appears that the skiddies are running automated hacking scripts that "phone home" when a box is setup, but they apparently have so many of them that they don't always get to new ones right away. So there's a window when the box is hacked but not yet being used as a repository.Does anyone know of a program that can be used to scan for trojansoffline, as I now of themachines disk loaded into my forensics system. Iwant to find out whatother ports I need to be suspicous of so that Ican scan the rest of thenetwork for them to see if anything else lookscompromised. Good luck scanning for ports. The ports they use are completely arbitrary and infinitely changeable. You'd have better luck looking at traffic patterns and investigating boxes that suddenly show unusually high levels of traffic. The only port that I think is really worth scanning is irc (6667/TCP) because that can indicate a worm infection. I've even seen tagged boxes using port 21 as a remote shell. Your port scanner is simply going to tell you someone has ftp enabled. I have port scanned *known* tagged boxes and found nothing to raise suspicions. These guys aren't stupid. They're going to try and make the box look as normal as possible. Some of them even moderate downloads and uploads to try and stay under the radar and not raise suspicion due to unusual traffic patterns. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
__________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Current thread:
- Re: Trojan of somesort - Update Bob the Builder (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- RE: Trojan of somesort - Update James C Slora Jr (May 28)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update James C Slora Jr (May 29)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)