Stumbler: Reserved IP 73.247.223.148 scan source
From: Curt Wilson (netw3_security_at_hushmail.com)
Date: 08/07/03
- Previous message: Andy Cuff [talisker]: "Re: Secure.dcom.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Aug 2003 21:51:23 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is)
Seeing scans from 73.247.223.148, src port 23807, dest
port 36947 TCP over the last couple of months.
This looks like the Stumbler trojan/scanner due to
windows size 55808, sack OK and WScale = 2. However, I
was under the impression that Stumbler used random
source addreses when spoofing connections. I've seen
this particular IANA reserved source address
74.247.223.148 for a couple of months on some of my
Black Ice sensors. The source port is always 23807, and
destination is always 36947. I can't find any
references for this port but of course it could be any
old trojan, nc listener, or anything.
There were a couple of legitimate source 12.0.0.0/8
systems attempting to find the same destination port
36947. Maybe spoofed, looked like more stumbler
traffic. These psuedo-legitimate connections were
"from" different source IP's but used the same source
and dest port.
This could be from some variant of Stumbler or perhaps
a version that's had some bugfixes applied, or some
other tool riding the same wave.
This is probably not new information, however I have
not seen mention of specific port patterns wrt stumbler
or the 55808 traffic.
Curt Wilson
Netw3 Security
www.netw3.c0|\/|
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Andy Cuff [talisker]: "Re: Secure.dcom.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
