[Dshield] Odd HTTP scan on port 25

Thor Larholm thor at pivx.com
Sun Feb 8 20:04:01 GMT 2004


You are not the only one seeing these scans.

http://groups.google.com/groups?selm=MPG.1a8f7b5c5a8856ca9899c5%40news.sf.sbcglobal.net

A scan for a trojan HTTP backdoor sounds plausible.




Regards
Thor Larholm

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

----- Original Message ----- 
From: "Bill McCarty" <bmccarty at pt-net.net>
To: "dshield" <list at dshield.org>
Sent: Sunday, February 08, 2004 9:28 AM
Subject: [Dshield] Odd HTTP scan on port 25


> Hi all,
>
> Early this morning, I saw an odd scan by a Chinese host of twenty-nine
> hosts on my Class C network:
>
> 02/08-00:53:31.777387 211.158.81.246:2592 -> XXX.XXX.XXX.82:25
> TCP TTL:48 TOS:0x0 ID:6486 IpLen:20 DgmLen:195 DF
> ***AP*** Seq: 0x3A3F19EA  Ack: 0xD61BC292  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E 73  GET http://www.s
> 69 6E 61 2E 63 6F 6D 2E 63 6E 2F 20 48 54 54 50  ina.com.cn/ HTTP
> 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E  /1.1..Host: www.
> 73 69 6E 61 2E 63 6F 6D 2E 63 6E 0D 0A 41 63 63  sina.com.cn..Acc
> 65 70 74 3A 20 2A 2F 2A 0D 0A 50 72 61 67 6D 61  ept: */*..Pragma
> 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 55 73 65 72  : no-cache..User
> 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F  -Agent: Mozilla/
> 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B  4.0 (compatible;
> 20 4D 53 49 45 20 34 2E 30 31 3B 20 57 69 6E 64   MSIE 4.01; Wind
> 6F 77 73 20 39 35 29 0D 0A 0D 0A                 ows 95)....
>
> Note that the scan used HTTP, but targeted port TCP/25. This may merely be
> a dumb error by the user or programmer. Or, the scan may be seeking for a
> Trojan HTTP server that provides a backdoor or other function.
>
> Anyone seen anything similar?
>
> Cheers,
>
> ---------------------------------------------------
> Bill McCarty
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
>




More information about the list mailing list