Incident 02-23-02 22:19pm

tcp:12345 NetBus Backdoor

See: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs

heh.. take your pick:

Adoresshd       12345/tcp       #[trojan] Adore sshd
Ashley          12345/tcp       #[trojan] Ashley
cron/crontab    12345/tcp       #[trojan] cron / crontab
FatBitchtrojan  12345/tcp       #[trojan] Fat Bitch trojan
GabanBus        12345/tcp       #[trojan] GabanBus
icmp_client.c   12345/tcp       #[trojan] icmp_client.c
icmp_pipe.c     12345/tcp       #[trojan] icmp_pipe.c
Mypic           12345/tcp       #[trojan] Mypic
NetBusToy       12345/tcp       #[trojan] NetBus Toy
NetBus          12345/tcp       #[trojan] NetBus
NetBus          12345/tcp       #[trojan] NetBus backdoor trojan
NetBusworm      12345/tcp       #[trojan] NetBus worm
PieBillGates    12345/tcp       #[trojan] Pie Bill Gates
TMListen        12345/tcp       #TrendMicro OfficeScan TMListen
ValvNet         12345/tcp       #[trojan] ValvNet
WhackJob        12345/tcp       #[trojan] Whack Job
X-bill          12345/tcp       #[trojan] X-bill

*Probably* we're talkin' a probe for a box compromised by the NetBus backdoor...

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

snort:
Feb 23 22:19:29 greatwall snort: [1:0:0] TCP to 12345 NetBus Backdoor {TCP}
 12.82.128.194:1227 -> 12.82.128.83:12345
Feb 23 22:19:50 greatwall last message repeated 3 times

ipchains:
Feb 23 22:19:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.194:1227 12.82.128.83:12345
 L=48 S=0x00 I=44079 F=0x4000 T=126 SYN (#64)
Feb 23 22:19:35 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.194:1227 12.82.128.83:12345
 L=48 S=0x00 I=45103 F=0x4000 T=126 SYN (#64)
Feb 23 22:19:38 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.194:1227 12.82.128.83:12345
 L=48 S=0x00 I=51247 F=0x4000 T=126 SYN (#64)
Feb 23 22:19:50 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.194:1227 12.82.128.83:12345
 L=48 S=0x00 I=18736 F=0x4000 T=126 SYN (#64)

p0f:
Sat Feb 23 22:19:29 2002 12.82.128.194 [3 hops]: Windows 9x or 2000
   12.82.128.194:1227 -> 12.82.128.83:12345
Sat Feb 23 22:19:35 2002 12.82.128.194 [3 hops]: Windows 9x or 2000
   12.82.128.194:1227 -> 12.82.128.83:12345
Sat Feb 23 22:19:38 2002 12.82.128.194 [3 hops]: Windows 9x or 2000
   12.82.128.194:1227 -> 12.82.128.83:12345
Sat Feb 23 22:19:50 2002 12.82.128.194: UNKNOWN [8192:126:29447:1:-1:1:1:48].
   12.82.128.194:1227 -> 12.82.128.83:12345

(hmm..  Interesting that p0f suddenly can't ID the OS on the last packet;
 let's look at what snort caught in full..)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/23-22:19:29.359740 12.82.128.194:1227 -> 12.82.128.83:12345
TCP TTL:126 TOS:0x0 ID:44079 IpLen:20 DgmLen:48 DF
******S* Seq: 0x598A9C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/23-22:19:35.040371 12.82.128.194:1227 -> 12.82.128.83:12345
TCP TTL:126 TOS:0x0 ID:45103 IpLen:20 DgmLen:48 DF
******S* Seq: 0x598A9C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/23-22:19:38.300663 12.82.128.194:1227 -> 12.82.128.83:12345
TCP TTL:126 TOS:0x0 ID:51247 IpLen:20 DgmLen:48 DF
******S* Seq: 0x598A9C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/23-22:19:50.341838 12.82.128.194:1227 -> 12.82.128.83:12345
TCP TTL:126 TOS:0x0 ID:18736 IpLen:20 DgmLen:48 DF
******S* Seq: 0x598A9C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Here are the p0f fields:

# Format:
#
# wwww:ttt:mmm:D:W:S:N:OS Description
#
# wwww - window size
# ttt  - time to live
# mmm  - maximum segment size
# D    - don't fragment flag  (0=unset, 1=set)
# W    - window scaling (-1=not present, other=value)
# S    - sackOK flag (0=unset, 1=set)
# N    - nop flag (0=unset, 1=set)
# I    - declared packet size (-1 = irrelevant)
#

Sat Feb 23 22:19:50 2002 12.82.128.194: UNKNOWN [8192:126:29447:1:-1:1:1:48].
   12.82.128.194:1227 -> 12.82.128.83:12345

02/23-22:19:50.341838 12.82.128.194:1227 -> 12.82.128.83:12345
TCP TTL:126 TOS:0x0 ID:18736 IpLen:20 DgmLen:48 DF
******S* Seq: 0x598A9C  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

 8192 = win
  126 = ttl
29447 = mss
    1 = DF flag set
   -1 = SAck set - should be 0 or 1..
    1 = NOP
    1 = NOP
   48 = declared packet size

So I don't see *any* apparent difference that would explain why p0f sees
this differently...