[Dshield] Combo: TCP port 3127 and TCP port 594

John Sage jsage at finchhaven.com
Wed Feb 11 16:23:07 GMT 2004


Found this interesting: a download to TCP:3127, immediately followed
by three attempts to connect to TCP:594 over roughly the next sixty
minutes.


input: snort211.log-Feb.11.07:11
filter: ip and ( src host 62.195.73.248 )
#
T 2004/02/11 06:03:20.771343 62.195.73.248:1660 -> 24.19.14x.yyy:3127 [S]
#
T 2004/02/11 06:03:20.943105 62.195.73.248:1660 -> 24.19.14x.yyy:3127 [A]
#
T 2004/02/11 06:03:20.947023 62.195.73.248:1660 -> 24.19.14x.yyy:3127 [AP]
  85                                                    .
#
T 2004/02/11 06:03:20.953516 62.195.73.248:1660 -> 24.19.14x.yyy:3127 [AP]
  13 3c 9e a2 4d 5a 50 00    02 00 00 00 04 00 0f 00    .<..MZP.........
  ff ff 00 00 b8 00 00 00    00 00 00 00 40 00 1a 00    ............ at ...
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 02 00 00 ba 10 00 0e    1f b4 09 cd 21 b8 01 4c    ............!..L
  cd 21 90 90 54 68 69 73    20 70 72 6f 67 72 61 6d    .!..This program
  20 6d 75 73 74 20 62 65    20 72 75 6e 20 75 6e 64     must be run und
  65 72 20 57 69 6e 33 32    0d 0a 24 37 00 00 00 00    er Win32..$7....
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................

/* snip */

  02 38 03 b0 01 c3 26 7c    ed 42 06 93 c0 d6 9f cf    .8....&|.B......
  30 c3 87 c5 f8 15 2d d1    05 85 6b a6 26 4c 22 d6    0.....-...k.&L".
  bc d4 ad 02 e7 84 56 5f    08 19 dd eb 71 ba f7 0c    ......V_....q...
  5b 04 21 38 c3 99 f5 13    f7 c7 b6 08 23 4b 3e 30    [.!8........#K>0
  83 c6 04 83 c3 02 86 9b    ba ae 60 4b 02 7c 0a a8    ..........`K.|..
  43 40 0a 74 d7 14 74 ff    d9 43 eb 2f 3b eb 73 25    C at .t..t..C./;.s%
  e2 13 a1 1c 23 aa 03 fb    c3 ff ae 12 ba 10 33 40    ....#.........3@
  06 6d 0d c1                                           .m..
#
T 2004/02/11 06:03:21.494566 62.195.73.248:1660 -> 24.19.14x.yyy:3127 [A]
#
T 2004/02/11 06:03:38.651680 62.195.73.248:1662 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:03:41.657031 62.195.73.248:1662 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:03:47.672761 62.195.73.248:1662 -> 24.19.14x.yyy:594 [S]
#

/* time passes */

T 2004/02/11 06:31:45.229686 62.195.73.248:1855 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:31:48.097134 62.195.73.248:1855 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:31:54.118502 62.195.73.248:1855 -> 24.19.14x.yyy:594 [S]
#

/* time passes */

T 2004/02/11 06:59:25.360281 62.195.73.248:1981 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:59:28.325588 62.195.73.248:1981 -> 24.19.14x.yyy:594 [S]
#
T 2004/02/11 06:59:34.245367 62.195.73.248:1981 -> 24.19.14x.yyy:594 [S]
exit



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list