Re: Syn probes at port 100008

From: Lance Spitzner (lanceat_private)
Date: Tue May 15 2001 - 09:38:52 PDT

Next message: Bryan Andersen: "Re: Port 10008"

Previous message: Rob Lindenbusch: "Re: Port 10008"
In reply to: Henri J. Schlereth: "Syn probes at port 100008"
Next in thread: Dave Elfering: "RE: Syn probes at port 100008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 May 2001, Henri J. Schlereth wrote:

>  I am starting to see syn probes on port 10008. I cant seem to find
>  any references as to what uses that port. I know I am not.
>
>  05-14-2001  Mo  11:47:54  209.205.30.10                   10008
>  05-14-2001  Mo  14:11:25  210.206.177.138                 10008
>  05-14-2001  Mo  19:46:48  211.21.142.65                   10008
>  05-15-2001  Tu  00:26:48  194.102.188.134                 10008

Our Honeynet recently picked up these scans.  Below is the snort capture.
Based on passive OS fingerprinting, it appears the source system is Linux.
We received port 10008 scans from three different systems, all source signatures
were the same.  This implies the scan may be for Unix based vulnerabilities
or backdoor.

lance

-*> Snort! <*-
Version 1.7
By Martin Roesch (roeschat_private, www.snort.org)

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "snort-0514at_private" file.
snaplen = 1514

        --== Initialization Complete ==--
05/14-04:45:01.954393 200.204.170.212:2394 -> 172.16.1.102:10008
TCP TTL:48 TOS:0x0 ID:28181 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19C1BA52  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.961927 172.16.1.102:10008 -> 200.204.170.212:2394
TCP TTL:46 TOS:0x0 ID:32915 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x19C1BA53  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.967340 200.204.170.212:2396 -> 172.16.1.104:10008
TCP TTL:48 TOS:0x0 ID:28183 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19A0AB8D  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.970390 172.16.1.104:10008 -> 200.204.170.212:2396
TCP TTL:46 TOS:0x0 ID:32916 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x19A0AB8E  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.979359 200.204.170.212:2398 -> 172.16.1.106:10008
TCP TTL:48 TOS:0x0 ID:28185 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19CA6878  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

Next message: Bryan Andersen: "Re: Port 10008"
Previous message: Rob Lindenbusch: "Re: Port 10008"
In reply to: Henri J. Schlereth: "Syn probes at port 100008"
Next in thread: Dave Elfering: "RE: Syn probes at port 100008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 10:49:29 PDT