Re: New trojan running in port 12345?

[Martin H Hoz-Salvador <mhoz () citi com mx>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi folks!

This is a follow-up for my post dated December 19th 2000, I have some
new findings.

This is a bit later to my first post, but I wanted to do some research
before releasing any results. :-) AHere we go:

a) As Rusell Fulton said in a reply, most of origin IP's came from Korea,
   others sources were Brazil, USA, Canada among others.
b) As Rusell Fulton pointed too, mosts of netscans started at "11" ,
   instead of "1". A strange thing is some scans started at "96" and
   ended at "111".
c) Delay between packets was 5 seconds. Sometimes delay was 6 seconds, but
   I think this was due network congestion, and not a pattern in scans
d) Almost all scans took 20 minutes (average) to scan a class C net
   (remember, from  11 to 254 this case).
e) From my logs, it seems like scans started at Dec/14/2000 22:52:27 CST ,
   ending Dec/27/2000 09:54:03 CST (note ":52:27" and "54:03" relation. I'm
   guessing if this hour is significant for some country like Korea, or if
   this could mean an automated scan). ;-)
f) around 420 unique ip numbers were originating scannings. I tryed to
   identify some "double" scans originated from same IP without success.
g) Jose Nazario pointed out the possible relationship between this scan and
   some sort of underground audit project. I browsed the web and found
   this URL: http://www.nwo.net/iap/ This is related (almost the same
   info :-P) to the URL he gave us. But this page don't say anything about
   NetBus scannings. (or some other trojans associated to 12345 port, as
   listed in http://www.simovits.com/nyheter9902.html) I couldn't find any
   underground audit project related to this... (using common
   search engines) :-(
h) Unfortunately, due internal management problems, I couldn't reconfigure
   my IDS to get more detailed info about this, and all info was extracted
   using as only source my firewall logs (sorry) :-(
i) Due the large numbert of Ip's, try to contact responsible people for
   each one network involved, I didn't do any contact to network managers
   at the other side, sorry.
j) As a result of this (too), I wrote a "quick and dirty" korn shell script
   to find "contacts" for any given IP, simply doing queries to whois
   databases. I usually do this manually, but do this for more than 400 ips
   one-by-one, it really hard to me. :-P

I'm attaching to this message 3 files:
ipes:- A list of ip numbers from which scans were originated
results:- the results for contacts using "ipes" file as source for the
   script I talked about before.
parser.ksh:- the script.

I reviewed the charter for this list looking for something about
attachments, and found nothing, so I guess it's Ok to send some
short (zipped) attachments. ;-)

Hope this helps to someone. :-) Best regards and happy 2001.

- --
Martin Humberto Hoz Salvador
Information Security Consultant (ISS ICU, Check Point CCSE)
C   I   T   I
Sendero Sur  285  Col. Contry,  Monterrey,  Nuevo Leon 64860, MEXICO
Phone: +(52)(8) 357-2267 x139   Fax: +(52)(8) 357-8047
E-mail: mhoz () citi com mx        WWW:  http://www.citi.com.mx
PGPKey ID: 0x0454E8D9           ICQ Number: 31631540
GIT d- s:(+:+) a-- C+(++++)>$ SILH++++ P++ L+++ E W++ N+ o-- K- w
O M V PS+ PE++ Y+ PGP++ t 5 X+ R tv- b+ DI+ D++ G++ e++ h-- r+ y++

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1i
Comment: Public key at http://www.citi.com.mx/~mhoz/pgpkey.html

iQCVAwUBOlURrASuTAgEVOjZAQFzcAQAnLtSK0eOJorsuLYWjcpHPb90WlbGTwWb
I2LH0uJpB9Qte1FYwIQP7/iqxlz3iXxu2in9iicb15SQPDvg3nthJkV64ZpsSthb
CTr8zIgP6nKek8gz9IqPa19oQ8qLxaL+eo/K+/+qgPQZMdLSi7kJ4ARFh0G/D6V8
wOQLC92Ly00=
=eakQ
-----END PGP SIGNATURE-----

Attachment: files.zip.sig
Description:

Attachment: files.zip
Description: