Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 8181 update; Trojan.Comxt.B; Mail Bag

Published: 2005-02-05
Last Updated: 2005-02-06 00:46:48 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

Port 8181 Update

Jason Friend sent us a capture of traffic destined for port 8181. Here are some of the characteristics noted:

The TTLs decremented by 1 each time, however the following fields remained constant:

Checksum: decimal 11609

Flags and Offset: hex 4000

IP ID: decimal 55211

If anyone has any ideas, we would be interested in hearing them. We would still like to see more captures as well, so grab your favorite tool and let's see if we can figure this one out.


Okay, this one is not a wide spread Trojan, but it is a very creative one. I just wanted to point it out because of the efforts to hide itself. If anyone has a copy of it, please pass it our way! Here is what Symantec says:

"Trojan.Comxt.B is a Trojan horse program that downloads remote files. The Trojan uses alternate data streams and rootkit technology to hide its presence on the compromised computer."

For more information see:

Mail Bag

We really appreciate our readers and the efforts they put forth to help us out. It is a team effort and we are all trying to make the Internet safer! Here is an email sent in by Colin Keith with some of his observations:

"Just been looking through the scams filtered by my mail server and wanted to pass on a note about a trend I've been seeing by Phishing scamers. They've recently started using domain names that look like the bank's URL instead of using browser exploits (%00/^A hack, image-maps, etc). Perhaps they're learning that we simply trap this kind of nonsense and that its less effective as more people patch these security holes?

Some example domains include:

(Hmm, had others for usbank and keybank but they've disappeared from my logs now)

The last two are those stupid "free subdomain" things ISP's offer when they're desparate to boost their number of "customers". All of these have been reported, the first to to the domain registrars too for domain names registered in violation of the ICANN agreements (trademark infringement/registered to be used for committing a crime) so hopefully they'll go soon if they haven't already.

Also stuff for people to scan for in incoming mails - check if the URLs are hosted on port 87 (common on dial up accounts) or 6180 (common on server). I suppose the scammers have yet to write the phishing kits so that they use a randomly selected port? Also noticed are the URL's of the phishing target site in the URL/directory of the hosting site. E.g.:

Strangely spammers seem to be getting their scams mixed up lately too. I've seen mails claiming to be from suntrust printing a URL via a window.status call and the

URL saying suntrust...

Nothing exciting, but I thought I'd pass on the observations in case they might be of some use to anyone :)"

Thanks for reading and enjoy the Super Bowl!

Lorna Hutcheson

Handler on Duty

0 comment(s)
Diary Archives