RE: Guess the tool...

From: Portnoy, Gary (gportnoyat_private)
Date: Wed Sep 12 2001 - 05:18:54 PDT

Next message: Nick FitzGerald: "Re: Any one seen any evidence of "Code Blue?""

Previous message: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Maybe in reply to: Portnoy, Gary: "Guess the tool..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I realize it's in poor taste to reply to my own message, but there seems to
be a little confusion about the question i was asking.

I do realize that 139 is NetBios, 12345 is NetBus and 27374 is Sub7.  And I
also realize that the scan could have been accomplished by any multi-purpose
scanner out there, including  nmap, superscan, or even a perl script.
However, if you do a search on google, or in the incidents.org CID, there
are enough occurences where these three ports are scanned together, which
leads me to believe it's a tool of some sort doing the scanning, rather than
just a coincidence.  It's the tool that is used to scan that I am after, not
the trojans that reside on the respective ports.  I just thought that
someone would know...

Thanks, and sorry for the confusion.

-Gary-

-----Original Message-----
From: Portnoy, Gary 
Sent: Tuesday, September 11, 2001 8:47 AM
To: intrusionsat_private; incidentsat_private
Subject: Guess the tool...


Greetings,

Can anyone tell me which Windows tool is used to scan for ports 139, 12345,
and 27374.  (Example below) This occurs often enough that it makes me think
that it's a tool, I just can't find any mention of it anywhere...

08/20-23:43:31.292516 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:21844
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:31.292892 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:21845
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:31.297448 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:21846
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:34.262887 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:23258
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:43:34.302197 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:23289
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.193115 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:26960
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.340679 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:26997
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/20-23:44:06.388758 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:27009
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Gary Portnoy
Network Administrator
gportnoyat_private

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: Any one seen any evidence of "Code Blue?""
Previous message: Yaakov Yehudi: "Re: Any one seen any evidence of "Code Blue?""
Maybe in reply to: Portnoy, Gary: "Guess the tool..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 08:28:43 PDT