[Dshield] 2 new probe patterns

["Jon R. Kibler" <[EMAIL PROTECTED]>]

Greetings:

We have seen two new probe patterns emerge in the past couple of days. The first, is scans of tcp ports 12345, 1234, and 27374 against several IPs, all in rapid succession. For example, here is an extract from one of our reports that show this problem:

>     IP 211.58.26.zz
>         tcp     12345          12	Adoresshd 		[trojan] Adore sshd
>					Ashley 			[trojan] Ashley
>					cron/crontab 		[trojan] cron / crontab
>					FatBitchtrojan 		[trojan] Fat Bitch trojan
>					GabanBus 		[trojan] GabanBus
>					icmp_client.c 		[trojan] icmp_client.c
>					icmp_pipe.c 		[trojan] icmp_pipe.c
>					Mypic 			[trojan] Mypic
>					NetBusToy 		[trojan] NetBus Toy
>					NetBus 			[trojan] NetBus
>					NetBus                  [trojan] NetBus backdoor trojan
>					NetBusworm 		[trojan] NetBus worm
>					PieBillGates 		[trojan] Pie Bill Gates
>					TMListen		TrendMicro OfficeScan TMListen
>					ValvNet 		[trojan] ValvNet
>					WhackJob 		[trojan] Whack Job
>					X-bill 			[trojan] X-bill
>                  1243           8	serialgateway           SerialGateway
>					BackDoor-G 		[trojan] BackDoor-G
>					SubSevenApocalypse 	[trojan] SubSeven Apocalypse
> 					SubSeven 		[trojan] SubSeven
> 					Tiles 			[trojan] Tiles
>                 27374           5	BadBlood 		[trojan] Bad Blood
> 					EGO 			[trojan] EGO
> 					FakeSubSeven 		[trojan] Fake SubSeven
> 					Lion 			[trojan] Lion
> 					Ramen 			[trojan] Ramen
> 					Seeker 			[trojan] Seeker
> 					Subseven2.1.4DefCon8 	[trojan] Subseven 2.1.4 DefCon 8
> 					SubSeven2.1Gold 	[trojan] SubSeven 2.1 Gold
> 					SubSeven2.2 		[trojan] SubSeven 2.2
> 					SubSevenMuie 		[trojan] SubSeven Muie
> 					SubSeven 		[trojan] SubSeven
> 					TheSaint 		[trojan] The Saint
> 					Ttfloader 		[trojan] Ttfloader
> 					Webhead 		[trojan] Webhead
> 
> 
> Oct 17 09:15:30 list 110 denied tcp 211.58.26.zz(3666) -> aa.bb.cc.64(12345), 1 packet
> Oct 17 09:15:31 list 110 denied tcp 211.58.26.zz(3672) -> aa.bb.cc.66(12345), 1 packet
> Oct 17 09:15:32 list 110 denied tcp 211.58.26.zz(3677) -> aa.bb.cc.67(1243), 1 packet
> Oct 17 09:15:33 list 110 denied tcp 211.58.26.zz(3684) -> aa.bb.cc.70(12345), 1 packet
> Oct 17 09:15:34 list 110 denied tcp 211.58.26.zz(3673) -> aa.bb.cc.66(27374), 1 packet
> Oct 17 09:15:35 list 110 denied tcp 211.58.26.zz(3696) -> aa.bb.cc.74(12345), 1 packet
> Oct 17 09:15:36 list 110 denied tcp 211.58.26.zz(3702) -> aa.bb.cc.76(12345), 1 packet
> Oct 17 09:15:37 list 110 denied tcp 211.58.26.zz(3690) -> aa.bb.cc.72(12345), 1 packet
> Oct 17 09:15:38 list 110 denied tcp 211.58.26.zz(3714) -> aa.bb.cc.80(12345), 1 packet
> Oct 17 09:15:39 list 110 denied tcp 211.58.26.zz(3720) -> aa.bb.cc.82(12345), 1 packet
> Oct 17 09:15:40 list 110 denied tcp 211.58.26.zz(3709) -> aa.bb.cc.78(27374), 1 packet
> Oct 17 09:15:41 list 110 denied tcp 211.58.26.zz(3715) -> aa.bb.cc.80(27374), 1 packet
> Oct 17 09:15:42 list 110 denied tcp 211.58.26.zz(3686) -> aa.bb.cc.70(1243), 1 packet
> Oct 17 09:15:43 list 110 denied tcp 211.58.26.zz(3727) -> aa.bb.cc.84(27374), 1 packet
> Oct 17 09:15:43 list 110 denied tcp 211.58.26.zz(3698) -> aa.bb.cc.74(1243), 1 packet
> Oct 17 09:15:45 list 110 denied tcp 211.58.26.zz(3740) -> aa.bb.cc.88(1243), 1 packet
> Oct 17 09:15:46 list 110 denied tcp 211.58.26.zz(3747) -> aa.bb.cc.91(12345), 1 packet
> Oct 17 09:15:46 list 110 denied tcp 211.58.26.zz(3753) -> aa.bb.cc.93(12345), 1 packet
> Oct 17 09:15:48 list 110 denied tcp 211.58.26.zz(3759) -> aa.bb.cc.95(12345), 1 packet
> Oct 17 09:15:49 list 110 denied tcp 211.58.26.zz(3728) -> aa.bb.cc.84(1243), 1 packet
> Oct 17 09:15:50 list 110 denied tcp 211.58.26.zz(3735) -> aa.bb.cc.87(12345), 1 packet
> Oct 17 09:15:51 list 110 denied tcp 211.58.26.zz(3742) -> aa.bb.cc.89(27374), 1 packet
> Oct 17 09:15:52 list 110 denied tcp 211.58.26.zz(3749) -> aa.bb.cc.91(1243), 1 packet
> Oct 17 09:15:52 list 110 denied tcp 211.58.26.zz(3755) -> aa.bb.cc.93(1243), 1 packet
> Oct 17 09:15:55 list 110 denied tcp 211.58.26.zz(3761) -> aa.bb.cc.95(1243), 1 packet

Has anyone else seen this pattern? Any ideas what it may be? If I had to guess, it may be some new SubSeven variant, since 2 of the three ports hit are know to be associated with SubSeven.

The other pattern we have seen are scans to 500/udp. These just started today. Checking DShield, it appears that there was peak of these scans about a month ago and a couple of days ago. These scans seem to be associated with VPN key exchanges. Is there some new vulnerability here?

TIA for all thoughts and feedback!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list