[Dshield] Re: [LOGS] tcp:27374 upsurge? - ACID Incident Report

John Sage jsage at finchhaven.com
Sat Jul 6 04:43:07 GMT 2002


On Fri, Jul 05, 2002 at 11:16:05AM -0400, James C. Slora, Jr. wrote:
> John Sage wrote Tuesday, July 02, 2002 8:59 AM:
> 
> >When looking back over the last week's records, nothing for tcp:27374
> >until yesterday, and then quite a few...
> 
> I've had a little uptick in 27374 probes in the past few days, plus probes
> for other backdoors that have had no activity for quite a while.

Yes. I've had a few more.

> 17300 (Kuang2 and derivatives) - one spray and pray probe.

17300 here, too:

Date: Fri, 5 Jul 2002 17:36:44 -0700
To: toot at sparky.finchhaven.net
Subject: ACID Incident Report
From: ACID Alert <acid at finchhaven.com>

Generated by ACID v0.9.6b21 on Fri July 05, 2002 17:36:44

------------------------------------------------------------------------------
#(234 - 12) [2002-07-05 14:06:35]  TCP to 17300 Kuang2
IPv4: 211.200.169.129 -> 12.82.142.46
      hlen=5 TOS=0 dlen=48 ID=11010 flags=0 offset=0 TTL=115 chksum=50427
TCP:  port=3515 -> dport: 17300  flags=******S* seq=2555313479
      ack=0 off=7 res=0 win=16384 urp=0 chksum=17519
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(234 - 11) [2002-07-05 14:06:32]  TCP to 17300 Kuang2
IPv4: 211.200.169.129 -> 12.82.142.46
      hlen=5 TOS=0 dlen=48 ID=10940 flags=0 offset=0 TTL=115 chksum=50497
TCP:  port=3515 -> dport: 17300  flags=******S* seq=2555313479
      ack=0 off=7 res=0 win=16384 urp=0 chksum=17519
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none



> 1524 (Trinoo) - several targeted attempts on a single host. A couple of them
> are from an International Volleyball Federation web server that appears to
> have been converted to a DDOS zombie controller, based on the odd http
> content it serves up. It appears to probe for trinoo clients when a user
> visits another related site. One other server probed us for Trinoo - also
> targeted against one host, no relationship found to user activity.

None lately..


> Maybe these are related to the DDOS tool payloads installed by the Scalper
> worm and other tools that might be installed on chunk-vulnerable web
> servers.

Interesting..


- John
-- 
^ALÍ! This program cannot be run in DOS mode.^M

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list