> More curious is that it specifies the source port as 15000 as well. > Generally, I've only seen source ports specified for two reasons -- to get > around IDS's by scanning from the FTP-DATA port for TCP or 53 for UDP to > look like DNS responses or when someone's hunting for a backdoor the uses > the source port as part of the authentication mechanism. I suspect that the fact that the source port and destination ports are both the same reflects common origin of this exploit tool with that of other probe tools (there is one that does this for ssh on 22 and ftp on 21). Perhaps the original author was confused about the src/dest port designations or was trying to fool an early firewall, and set the two to the same. Then that code became the starting point for multiple probe tools ever since. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skipat_private 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 14:41:04 PDT