Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Trojan of somesort - Update
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 28 May 2004 08:15:35 -0700
  I haven't seen it yet.  But I have seen port numbers chosen
judiciously so that if you didn't pay attention to the data
volume and direction, you'd think the box was just surfing 
the web, etc -- outside source ports of 80, 110, 443, ....

Dave Gillett


-----Original Message-----
From: Derek [mailto:cissp_ds () cox net]
Sent: Thursday, May 27, 2004 11:37 AM
To: incidents () securityfocus com
Subject: Re: Trojan of somesort - Update


In-Reply-To: <182030000.1085678189 () utd49554 utdallas edu>

Paul Schmehl said:
------------------

Good luck scanning for ports.  The ports they use are completely 
arbitrary and infinitely changeable.

[snip]

I have port scanned *known* tagged boxes and found nothing to raise 
suspicions.  These guys aren't stupid.  They're going to try 

and make the 

box look as normal as possible.  Some of them even moderate 

downloads and 

uploads to try and stay under the radar and not raise 

suspicion due to 

unusual traffic patterns.


And using port knocking will make things even more invisible. 
 Anyone seen RATs using this?

Derek

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]