[Dshield] Probes to port 901

Blake McNeill mcneillb at linklogger.com
Sat Sep 27 20:26:28 GMT 2003

We captured the following scan to TCP port 901 and given no data was sent,
its either just a port probe or its a connection attempt to a trojan which
sends out a response on connection (likely).

TCP Port 901 PortPeeker capture
TCP Connection Request
--- 9/27/2003 02:38:19.409 : 4024 TCP Connected ID = 1
--- 9/27/2003 02:38:19.429
Status Code: 0 OK

TCP Error
--- 9/27/2003 02:38:21.832
Error Code: 10054 Winsock error in recv() : 4024 TCP Disconnected ID = 1
--- 9/27/2003 02:38:21.832
Status Code: 10053 [10053] Software caused connection abort

If someone could send me what the connection response would be for NetDevil
(or SubSeven or any other trojan that would be very helpful) then we can
configure PortPeeker to send the correct response on connection and then see
if we can get the connecting system to confirm its intent.


----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Friday, September 26, 2003 12:36 PM
Subject: [Dshield] Probes to port 901

> This afternoon we have started getting probes on 901/tcp from netblock, which claims to be "PC Game Plaza user logins." It appears
that there was a surge in hits on this port earlier this month... the
NetDevil trojan. Anyone know if this is this another surge of the same or
something new?
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.


> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list