"Stephen P. Berry" <spbMESHUGGENEH.NET> writes:

> For the past week or so, I've been observing what appears to be a
> new scan pattern. Short summary:
>
> -A scan through an address range against port 27374
> -A scan through the same address range against port 1234
> -The second scan starts within a couple seconds of the end of
> the first scan
> -Scans originate from different networks
>
> Here's some sample traffic. In this example, both scans apparently
> originate from ISPs. Of course the interesting thing isn't that
> there were two scans from addresses owned by ISPs---that's hardly
> a record. The interesting thing is that the two scan originate from
> different networks and appear to be coordinated.

I've not seen this exactly (not managing a whole netblock but just my
own machine). What I have seen is what looks like two coordinated
scans both to port 27374. (I usually get about 8-10 connections a day
on this port; therefore, when I get two connection attempts from
different networks within five seconds of each other, I get
suspicious)

As you know, ports 27374 and 1243 are the default ports of the windows
trojan horse subseven.

I have my machine running a rather crude subseven honeypot on those
ports; one of the things that was quite common last month (though I
haven't seen it this month - maybe it's time to make my honeypot more
sophisticated) was for people to connect, give the standard subseven
backdoor password, and then give a command for my subseven to upgrade
itself from some url or another.

Anyway, what I saw at least twice last month (out of about 5 distinct
"upgrade from this URL" requests) was that I would get these upgrade
requests one right after another; this is too much coincidence. Once,
I had forty different connections come in in less than one minute, all
requesting upgrades from the same URL (and all from different machines).

This makes me think that there exist tools for people who own some
machines via subseven to probe for more such machines. One
interesting thing to note is that occasionally the two URLs given are
different; I'm not sure what to make of this. (Some kind of haxor
war, with one scan following closely on the heels of another so that
the machine is left in the control of the second scanner? I don't
know)

Another pattern I've noticed is that one machine will only connect and
disconnect without sending anything, and then the second machine will
connect and send the subseven backdoor password. However, this
doesn't sound like what you're looking at (since presumably the second
machine wouldn't connect if the first hadn't been able to).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]