Security Incidents: Re: Trojan of somesort

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Trojan of somesort - Update

From: Derek <cissp_ds () cox net>
Date: 27 May 2004 18:36:50 -0000

In-Reply-To: <182030000.1085678189 () utd49554 utdallas edu>

Paul Schmehl said:
------------------

Good luck scanning for ports.  The ports they use are completely 
arbitrary and infinitely changeable.

[snip]

I have port scanned *known* tagged boxes and found nothing to raise 
suspicions.  These guys aren't stupid.  They're going to try and make the 
box look as normal as possible.  Some of them even moderate downloads and 
uploads to try and stay under the radar and not raise suspicion due to 
unusual traffic patterns.


And using port knocking will make things even more invisible.  Anyone seen RATs using this?

Derek

By Date By Thread

Current thread:

Re: Trojan of somesort - Update, (continued)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Martin Mačok (May 28)
- Re: Trojan of somesort - Update Derek (May 28)
  - RE: Trojan of somesort - Update David Gillett (May 28)
  - Re: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update Lachniet, Mark (May 28)
- RE: Trojan of somesort - Update Steven Trewick (May 28)
  - Administrivia: Trojan of somesort - Hack definition branch == dead Daniel Hanson (May 29)