Stumbler: Reserved IP 73.247.223.148 scan source

From: Curt Wilson (netw3_security_at_hushmail.com)
Date: 08/07/03

  • Next message: Russell Fulton: "Heads up! distributed scans and attacks targeting nsiss.dll"
    Date: 7 Aug 2003 21:51:23 -0000
    To: incidents@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Seeing scans from 73.247.223.148, src port 23807, dest
    port 36947 TCP over the last couple of months.

    This looks like the Stumbler trojan/scanner due to
    windows size 55808, sack OK and WScale = 2. However, I
    was under the impression that Stumbler used random
    source addreses when spoofing connections. I've seen
    this particular IANA reserved source address
    74.247.223.148 for a couple of months on some of my
    Black Ice sensors. The source port is always 23807, and
    destination is always 36947. I can't find any
    references for this port but of course it could be any
    old trojan, nc listener, or anything.

    There were a couple of legitimate source 12.0.0.0/8
    systems attempting to find the same destination port
    36947. Maybe spoofed, looked like more stumbler
    traffic. These psuedo-legitimate connections were
    "from" different source IP's but used the same source
    and dest port.

    This could be from some variant of Stumbler or perhaps
    a version that's had some bugfixes applied, or some
    other tool riding the same wave.

    This is probably not new information, however I have
    not seen mention of specific port patterns wrt stumbler
    or the 55808 traffic.

    Curt Wilson
    Netw3 Security
    www.netw3.c0|\/|

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Russell Fulton: "Heads up! distributed scans and attacks targeting nsiss.dll"

    Relevant Pages

    • ISS "Stumbler" advisory questions
      ... From the X-Force "Stumbler" advisory: ... > X-Force has been tracking reports of suspicious and widespread Internet ... > traffic with a TCP Window size of 55808. ... > each IP address by sending a TCP SYN packet with a random destination port. ...
      (Incidents)
    • [Full-Disclosure] ISS "Stumbler" advisory questions
      ... From the X-Force "Stumbler" advisory: ... > X-Force has been tracking reports of suspicious and widespread Internet ... > traffic with a TCP Window size of 55808. ... > each IP address by sending a TCP SYN packet with a random destination port. ...
      (Full-Disclosure)
    • [Full-Disclosure] ISS "Stumbler" advisory questions
      ... From the X-Force "Stumbler" advisory: ... > X-Force has been tracking reports of suspicious and widespread Internet ... > traffic with a TCP Window size of 55808. ... > each IP address by sending a TCP SYN packet with a random destination port. ...
      (Full-Disclosure)
    • RE: L2TP + NAT-T
      ... "I'm using L2TP/IPSec since PPTP does not work through NAT. ... > Destination Port 0 ... > IKE Source Port 500 ... > IKE Destination Port 6159 ...
      (microsoft.public.win2000.ras_routing)
    • Re: what www perl script is running?
      ... You can add an ipfw rule to prevent the script from ... Block on the destination port ... pass out quick on $ext_if proto tcp from me to any port ... You said block by destination port. ...
      (freebsd-questions)