I realize it's in poor taste to reply to my own message, but there seems to be a little confusion about the question i was asking. I do realize that 139 is NetBios, 12345 is NetBus and 27374 is Sub7. And I also realize that the scan could have been accomplished by any multi-purpose scanner out there, including nmap, superscan, or even a perl script. However, if you do a search on google, or in the incidents.org CID, there are enough occurences where these three ports are scanned together, which leads me to believe it's a tool of some sort doing the scanning, rather than just a coincidence. It's the tool that is used to scan that I am after, not the trojans that reside on the respective ports. I just thought that someone would know... Thanks, and sorry for the confusion. -Gary- -----Original Message----- From: Portnoy, Gary Sent: Tuesday, September 11, 2001 8:47 AM To: intrusionsat_private; incidentsat_private Subject: Guess the tool... Greetings, Can anyone tell me which Windows tool is used to scan for ports 139, 12345, and 27374. (Example below) This occurs often enough that it makes me think that it's a tool, I just can't find any mention of it anywhere... 08/20-23:43:31.292516 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:21844 IpLen:20 DgmLen:48 DF ******S* Seq: 0x76F6E7F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:43:31.292892 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:21845 IpLen:20 DgmLen:48 DF ******S* Seq: 0x77050F0 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:43:31.297448 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:21846 IpLen:20 DgmLen:48 DF ******S* Seq: 0x7713088 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:43:34.262887 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:23258 IpLen:20 DgmLen:48 DF ******S* Seq: 0x7713088 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:43:34.302197 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:23289 IpLen:20 DgmLen:48 DF ******S* Seq: 0x76F6E7F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:44:06.193115 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110 TOS:0x0 ID:26960 IpLen:20 DgmLen:48 DF ******S* Seq: 0x7713088 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:44:06.340679 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3205 -> MY.NET.165.25:12345 TCP TTL:110 TOS:0x0 ID:26997 IpLen:20 DgmLen:48 DF ******S* Seq: 0x77050F0 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/20-23:44:06.388758 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 209.69.154.168:3204 -> MY.NET.165.25:27374 TCP TTL:110 TOS:0x0 ID:27009 IpLen:20 DgmLen:48 DF ******S* Seq: 0x76F6E7F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 08:28:43 PDT