[Dshield] Port 901, being used by trojan/virus

Blake McNeill mcneillb at linklogger.com
Sun Oct 5 03:30:00 GMT 2003


We have capture 901 scans using PortPeeker and posted them to this list
awhile ago asking for the connection reply for this trojan which would get
response (ie a login attempt) from the scanning system and no one sent it to
us unfortunately.  So we tried a different approach where we had PortPeeker
reply to the connection with 'Go Away', but again nothing other then an
immediate disconnect from their end.

TCP Connection Request
--- 10/1/2003 05:20:53.633

217.208.67.71 : 1036 TCP Connected ID = 1
--- 10/1/2003 05:20:53.713
Status Code: 0 OK
--- Data Sent
0000   47 6F 20 61 77 61 79                                 Go away

217.208.67.71 : 1036 TCP Disconnected ID = 1
--- 10/1/2003 05:20:55.556
Status Code: 0 OK

TCP Connection Request
--- 10/1/2003 08:56:53.809

68.169.185.39 : 4764 TCP Connected ID = 1
--- 10/1/2003 08:56:53.809
Status Code: 0 OK
--- Data Sent
0000   47 6F 20 61 77 61 79                                 Go away

68.169.185.39 : 4764 TCP Disconnected ID = 1
--- 10/1/2003 08:56:56.853
Status Code: 0 OK


Blake







More information about the list mailing list