[Dshield] Odd HTTP scan on port 25

Bill McCarty bmccarty at pt-net.net
Sun Feb 8 17:28:44 GMT 2004


Hi all,

Early this morning, I saw an odd scan by a Chinese host of twenty-nine 
hosts on my Class C network:

02/08-00:53:31.777387 211.158.81.246:2592 -> XXX.XXX.XXX.82:25
TCP TTL:48 TOS:0x0 ID:6486 IpLen:20 DgmLen:195 DF
***AP*** Seq: 0x3A3F19EA  Ack: 0xD61BC292  Win: 0xFAF0  TcpLen: 20
47 45 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E 73  GET http://www.s
69 6E 61 2E 63 6F 6D 2E 63 6E 2F 20 48 54 54 50  ina.com.cn/ HTTP
2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E  /1.1..Host: www.
73 69 6E 61 2E 63 6F 6D 2E 63 6E 0D 0A 41 63 63  sina.com.cn..Acc
65 70 74 3A 20 2A 2F 2A 0D 0A 50 72 61 67 6D 61  ept: */*..Pragma
3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 55 73 65 72  : no-cache..User
2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F  -Agent: Mozilla/
34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B  4.0 (compatible;
20 4D 53 49 45 20 34 2E 30 31 3B 20 57 69 6E 64   MSIE 4.01; Wind
6F 77 73 20 39 35 29 0D 0A 0D 0A                 ows 95)....

Note that the scan used HTTP, but targeted port TCP/25. This may merely be 
a dumb error by the user or programmer. Or, the scan may be seeking for a 
Trojan HTTP server that provides a backdoor or other function.

Anyone seen anything similar?

Cheers,

---------------------------------------------------
Bill McCarty




More information about the list mailing list