Snort mailing list archives

RE: Re: [Snort-sigs] Scan on tcp 13000

From: twig les <twigles () yahoo com>
Date: Tue, 18 Feb 2003 14:27:57 -0800 (PST)

Incidents.org says this is the Senna Spy trojan, which led me to
Google which led me to this:
http://www.megasecurity.org/trojans/s/sstrojangenerator/SSTG2002.html

Check it out for a cynical laugh.  This thing claims to create
trojans like the virus kits create virii.  I'm actually *hoping*
this is it since it's written in VB and has little GUI
checkboxes for the "features" the kiddies want in their trojan,
which leads me to believe that this stupid kit will not get
anyone who patches/firewalls their windows boxes or doesn't run
them (unintentional DoSes aside).


--- "Miller, Eoin" <Miller () fhlb-of com> wrote:

http://isc.incidents.org/port_details.html?port=13000

seems to have been hitting hard in the last 2 days, im pretty
sure
incidents.org will have a blurb about this in a weeks time.

-----Original Message-----
From: Drew Stockman [mailto:Drew.Stockman () cibmis com] 
Sent: Tuesday, February 18, 2003 3:17 PM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp



 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I too am seeing this type of traffic.  I am seeing it coming

from 128.83.166.35 and sweeping across one of my IP ranges.

This IP resolves to the University of Texas at Austin.

Seems

t be coming out of the universities, but does anyone know 
what it is yet?

Drew Stockman
Security Analyst
CIBMIS


- -----Original Message-----
From: Alex Polevoy [mailto:aspolevoy () shiloh com]
Sent: Tuesday, February 18, 2003 1:06 PM
To: Snort-users () lists sourceforge net;

EveristB () naswi navy mil

Subject: RE: [Snort-users] Re: [Snort-sigs] Scan on tcp



My IDS registered same alerts at 21:53 2003-02-17.

"Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>

02/18/03

01:11pm >>>
same here, 149 alerts, same host, same alert.  149 
destinations, first/
last: 2003-02-17 13:58:06  2003-02-17 13:58:07

- -----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu] 
Sent: Monday, February 17, 2003 10:57 PM
To: Michael Scheidell
Cc: Bob Dehnhardt; 'Snort Users List';

baldwinl () mynetwatchman com

Subject: [Snort-users] Re: [Snort-sigs] Scan on tcp 13000


Michael Scheidell wrote:

Has anyone else seen any tcp scans with both source and

destination
ports of

13000, SYN flag set, and a sequence ID of 674711609?


Yep, coming out of columbia.edu.


I had 1702 hits in one tarpit, let me see if they're still 
stuck... nope, but they should have been reported to

DShield... yes!


source port = 13000, dest port = 13000

Source:  128.59.52.11 = mrl-sgi.mech.columbia.edu

Ended about 21:59 (UTC? Not sure what DShield reports)

Jeff


- -------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPlKU1DK/qMtUmsxZEQL17gCgzWi/v93DL81LxclMD2x9VHnjkdsAmgLA

45t0K3Vy/JmyJGQs0t4nvgEA
=MT2n
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] Scan on tcp 13000 Scheidell (Feb 18)
- <Possible follow-ups>
- RE: Re: [Snort-sigs] Scan on tcp 13000 Everist, Benjamin S. (NASWI) (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Alex Polevoy (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Drew Stockman (Feb 18)
- RE: Re: [Snort-sigs] Scan on tcp 13000 Miller, Eoin (Feb 18)
  - RE: Re: [Snort-sigs] Scan on tcp 13000 twig les (Feb 18)