Security Incidents mailing list archives
RE: Trojan of somesort - Update
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 28 May 2004 08:15:35 -0700
I haven't seen it yet. But I have seen port numbers chosen judiciously so that if you didn't pay attention to the data volume and direction, you'd think the box was just surfing the web, etc -- outside source ports of 80, 110, 443, .... Dave Gillett
-----Original Message----- From: Derek [mailto:cissp_ds () cox net] Sent: Thursday, May 27, 2004 11:37 AM To: incidents () securityfocus com Subject: Re: Trojan of somesort - Update In-Reply-To: <182030000.1085678189 () utd49554 utdallas edu> Paul Schmehl said: ------------------Good luck scanning for ports. The ports they use are completely arbitrary and infinitely changeable.[snip]I have port scanned *known* tagged boxes and found nothing to raise suspicions. These guys aren't stupid. They're going to tryand make thebox look as normal as possible. Some of them even moderatedownloads anduploads to try and stay under the radar and not raisesuspicion due tounusual traffic patterns.And using port knocking will make things even more invisible. Anyone seen RATs using this? Derek
Current thread:
- RE: Trojan of somesort - Update, (continued)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)
- RE: Trojan of somesort - Update David Gillett (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Administrivia: Trojan of somesort - Hack definition branch == dead Daniel Hanson (May 29)