Re: Correlated Scans to Ports 27374 and 1243 (SubSeven)

[Ryan Sweat <h3xm3 () SWBELL NET>]

     Port 27374 is the port which the ramen trojan (worm) is using to
distribute itself.  Either somone is scanning for infected machines, or you
are infected yourself and the worm is spreading with the help of your
network.

bats

----- Original Message -----
From: "Daniel Martin" <dtmartin24 () HOME COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 8:39 PM
Subject: Re: Correlated Scans to Ports 27374 and 1243 (SubSeven)


> "Stephen P. Berry" <spb () MESHUGGENEH NET> writes:
>
> > For the past week or so, I've been observing what appears to be a
> > new scan pattern.  Short summary:
> >
> > -A scan through an address range against port 27374
> > -A scan through the same address range against port 1234
> > -The second scan starts within a couple seconds of the end of
> > the first scan
> > -Scans originate from different networks
> >
> > Here's some sample traffic.  In this example, both scans apparently
> > originate from ISPs.  Of course the interesting thing isn't that
> > there were two scans from addresses owned by ISPs---that's hardly
> > a record.  The interesting thing is that the two scan originate from
> > different networks and appear to be coordinated.
>
> I've not seen this exactly (not managing a whole netblock but just my
> own machine).  What I have seen is what looks like two coordinated
> scans both to port 27374.  (I usually get about 8-10 connections a day
> on this port; therefore, when I get two connection attempts from
> different networks within five seconds of each other, I get
> suspicious)
>
> As you know, ports 27374 and 1243 are the default ports of the windows
> trojan horse subseven.
>
> I have my machine running a rather crude subseven honeypot on those
> ports; one of the things that was quite common last month (though I
> haven't seen it this month - maybe it's time to make my honeypot more
> sophisticated) was for people to connect, give the standard subseven
> backdoor password, and then give a command for my subseven to upgrade
> itself from some url or another.
>
> Anyway, what I saw at least twice last month (out of about 5 distinct
> "upgrade from this URL" requests) was that I would get these upgrade
> requests one right after another; this is too much coincidence.  Once,
> I had forty different connections come in in less than one minute, all
> requesting upgrades from the same URL (and all from different machines).
>
> This makes me think that there exist tools for people who own some
> machines via subseven to probe for more such machines.  One
> interesting thing to note is that occasionally the two URLs given are
> different; I'm not sure what to make of this.  (Some kind of haxor
> war, with one scan following closely on the heels of another so that
> the machine is left in the control of the second scanner?  I don't
> know)
>
> Another pattern I've noticed is that one machine will only connect and
> disconnect without sending anything, and then the second machine will
> connect and send the subseven backdoor password.  However, this
> doesn't sound like what you're looking at (since presumably the second
> machine wouldn't connect if the first hadn't been able to).