| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jstewart at lurhq.com (Joe Stewart) Subject: ISS "Stumbler" advisory questions >From the X-Force "Stumbler" advisory: > X-Force has been tracking reports of suspicious and widespread Internet > traffic with a TCP Window size of 55808. A substantial amount of traffic > captured from sites around the world point to a new distributed port > scanning system. ... snip ... > Each agent attempts to map IP addresses and open ports corresponding to > each IP address by sending a TCP SYN packet with a random destination port. This doesn't appear to be the same pattern of activity seen since May. Many people have reported activity from a single spoofed IP to a single destination IP from a random but non-varying source port to a random but non-varying destination port - for weeks at a time. I've seen this on several networks we montor. I see no way this could even pretend to be an effective distributed scan. Intrusec seems to feel that the trojan they found is a copycat; someone created a trojan to try and match the described behavior/traffic with winsize 55808. Probably someone's idea of a joke on the infosec community. The files ISS describe match the files Intrusec described, so why does ISS/X-Force feel that Stumbler is the true source of the traffic? -Joe -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/
Powered by blists - more mailing lists