RE: port 9274?

From: Royans Tharakan (RTharakanat_private)
Date: Fri Dec 28 2001 - 13:09:44 PST

Next message: Jay D. Dyson: "Microsoft's Early Xmas Present."

Previous message: John Kinsella: "port 9274?"
Maybe in reply to: John Kinsella: "port 9274?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is not new. There has been a logged incident dated Dec 11th.
http://www.incidents.org/diary.php?id=115

http://keir.net/attacklist.html
This link talks about a probable "BackGate" Rootkit installed on this
port.
The systems with this rootkit installed had this port open for
listenning

http://cert.uni-stuttgart.de/archive/incidents/2001/02/msg00355.html
This link talks about a rootkit of some sort installing wingate3.0 as
MMtask.exe which listens on this port.

If you send me more dumps I'll try to do more analysis. Raw tcpdump dump
would be extreemly helpfull.

regards,
Royans


-----Original Message-----
From: John Kinsella [mailto:jlkat_private]
Sent: Friday, December 28, 2001 8:58 AM
To: incidentsat_private
Subject: port 9274?


Anybody got an idea of what this might be?  I've seen it on a few of my
IDS sensors this morning:

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.3400 [**]
12/28-08:06:06.702394 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274
TCP TTL:115 TOS:0x0 ID:14182 IpLen:20 DgmLen:48 DF
******S* Seq: 0x201AC3D4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.2908 [**]
12/28-08:06:09.511201 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274
TCP TTL:115 TOS:0x0 ID:14500 IpLen:20 DgmLen:48 DF
******S* Seq: 0x201AC3D4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

Quick look around the various sites doesn't seem to indicate much
knowledge about a service running on 9274.  Source port seems to change
for each destination IP, and probes each IP twice about 3 seconds apart.

John

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jay D. Dyson: "Microsoft's Early Xmas Present."
Previous message: John Kinsella: "port 9274?"
Maybe in reply to: John Kinsella: "port 9274?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 20:24:11 PST