Security Incidents mailing list archives

RE: Guess the tool...

From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Wed, 12 Sep 2001 08:18:54 -0400
I realize it's in poor taste to reply to my own message, but there seems to
be a little confusion about the question i was asking.

I do realize that 139 is NetBios, 12345 is NetBus and 27374 is Sub7.  And I
also realize that the scan could have been accomplished by any multi-purpose
scanner out there, including  nmap, superscan, or even a perl script.
However, if you do a search on google, or in the incidents.org CID, there
are enough occurences where these three ports are scanned together, which
leads me to believe it's a tool of some sort doing the scanning, rather than
just a coincidence.  It's the tool that is used to scan that I am after, not
the trojans that reside on the respective ports.  I just thought that
someone would know...

Thanks, and sorry for the confusion.

-Gary-

-----Original Message-----
From: Portnoy, Gary 
Sent: Tuesday, September 11, 2001 8:47 AM
To: intrusions () incidents org; incidents () securityfocus com
Subject: Guess the tool...


Greetings,

Can anyone tell me which Windows tool is used to scan for ports 139, 12345,
and 27374.  (Example below) This occurs often enough that it makes me think
that it's a tool, I just can't find any mention of it anywhere...

08/20-23:43:31.292516 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:21844
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:31.292892 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:21845
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:31.297448 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:21846
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:34.262887 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:23258
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:34.302197 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:23289
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.193115 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:26960
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.340679 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:26997
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.388758 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:27009
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

Guess the tool... Portnoy, Gary (Sep 11)
- Re: Guess the tool... H C (Sep 11)
- Re: Guess the tool... Paul Gear (Sep 11)
- <Possible follow-ups>
- RE: Guess the tool... Portnoy, Gary (Sep 12)