[Dshield] Probes to port 901

Blake McNeill mcneillb at linklogger.com
Sat Sep 27 20:26:28 GMT 2003


We captured the following scan to TCP port 901 and given no data was sent,
its either just a port probe or its a connection attempt to a trojan which
sends out a response on connection (likely).

TCP Port 901 PortPeeker capture
----------------------------------
TCP Connection Request
--- 9/27/2003 02:38:19.409

211.26.1.231 : 4024 TCP Connected ID = 1
--- 9/27/2003 02:38:19.429
Status Code: 0 OK

TCP Error
--- 9/27/2003 02:38:21.832
Error Code: 10054 Winsock error in recv()

211.26.1.231 : 4024 TCP Disconnected ID = 1
--- 9/27/2003 02:38:21.832
Status Code: 10053 [10053] Software caused connection abort
----------------------------------

If someone could send me what the connection response would be for NetDevil
(or SubSeven or any other trojan that would be very helpful) then we can
configure PortPeeker to send the correct response on connection and then see
if we can get the connecting system to confirm its intent.

Thanks
Blake


----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Friday, September 26, 2003 12:36 PM
Subject: [Dshield] Probes to port 901


> This afternoon we have started getting probes on 901/tcp from netblock
61.34.84.64/26, which claims to be "PC Game Plaza user logins." It appears
that there was a surge in hits on this port earlier this month... the
NetDevil trojan. Anyone know if this is this another surge of the same or
something new?
>
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>


----------------------------------------------------------------------------
----


> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list