Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Those sport==dport, SF scans

From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Mon, 6 Nov 2000 11:12:06 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


H D Moore writes (under "Wide Spread TCP 21 -> 21 (SF) Sweep"):


I am noticing what must be a HUGE FTP scan going on, as two completely
unrelated networks saw the same thing about an 10 hours apart.


..and A.L.Lambert writes (under "Port 109 scanning");


I'm curious if anyone else has been getting port 109 SYN/FIN
scan's lately? (src 109 -> dst 109).


If I was a bettin' man, I'd wager either of y'all that if you look
at the IP ID of the packets in question you'll see that
they're all set to 0x9a02 (decimal 39426).  It sounds like one of
the patterns I asked about back in August (in a message
called `Putting names to faces').  I've seen many references to
traffic that matches this description, but haven't seen anyone
identify the tool that's being used to generate it.  I've
been identifying it (in the signatures I use myself) as `Mystery
Tool 11', but I'd still like to be able to attach a somewhat
more meaningful label.

It occurs to me that it would be pretty useful if there was a
person or organisation maintained a sort of spotter's guide to
scan tools/remote exploits/trojans/whatever.  By this I mean actively
seeking out these tools to study and report on them---most signature
databases and suchlike that are currently out there seem more geared
toward reporting on activity (analysing effects) rather than the
tools themselves (analysing causes).  Also, most of 'em seem to be
reasonably narrowly targeted at the users of particular [N]IDSes.

Another thing occurs to me, and that's that by the time I get around to
thinking of something that might be useful, someone else (and usualy several
other people) have already thought of it.  So---does anyone know
of a project such as the one I describe?






- -Steve

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6BwJOG3kIaxeRZl8RAr9VAKDZCsEHHgFKYfaGEZQtsDRHVYf/egCfUoLY
Gd2opf4fF3WAd84iNgtQs2Y=
=xphA
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: