Security Incidents mailing list archives

Re: Help with an odd log file...

From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Sun, 08 Jun 2003 13:41:17 -0400

More info:

I have captures from some non-primary probing addresses now. The non-primary
addresses have not been repeating at all.

When addresses probes my target port 8247, they all use the same sequence
number 2773619225, window size 55808, and WS: 2. Source ports vary and have
even included port 0. ID varies by probing address (but is still usually
14921 on mine), as does MSS (1400 or 1416 or 1436, etc).

More speculation:

So if this is a botnet, the TCP seq might identify a subset of the network
itself, or it could be related to the target. Dest port might be the
triggering factor for the listening trojan, and source port and source
address might be the command being issued. Window 55808 and WS: 2 appear to
be universal since everyone has reported the same. MSS 1460 appears to be
universal for primary probing addresses. Has anyone found the any of the
sequence numbers posted to the list on any other network?




----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Help with an odd log file..., (continued)
- Re: Help with an odd log file... morning_wood (Jun 04)
- Re: Help with an odd log file... Fabio Panigatti (Jun 05)
  - Re: Help with an odd log file... Fabio Panigatti (Jun 10)
- RE: Help with an odd log file... Brad Bemis (Jun 05)
- Re: Help with an odd log file... sec_slave (Jun 05)
- RE: Help with an odd log file... Golden Faron P Contr HQ SSG/SWSN (Jun 09)
  - Re(2): Help with an odd log file... Ken Eichman (Jun 09)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 09)
  - Re(2): Help with an odd log file... Ken Eichman (Jun 10)
    - Re: Help with an odd log file... James C. Slora Jr. (Jun 12)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 10)