CRITICAL: Synful Scan Report

DESCRIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies hosts that are potentially compromised with the SYNful knock back door. More details can be found in a Mandiant blog.

You can track SYNful knock back door exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..


Filename: scan_synfulknock

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the SYNful response came on (always TCP)
  • port
    Port that the SYNful response came on (always 80/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will always be synfulknock
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sequence_number
    This will always be 0
  • ack_number
    This will always be 791102
  • window_size
    This will always be 8192
  • urgent_pointer
    This will always be 0
  • tcp_flags
    This will always be 4608
  • raw_packet
    The entire synack packet that was returned from our crafted probe
  • sector
    Industry sector as provided by a commercial 3rd party service

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sequence_number","ack_number","window_size","urgent_pointer","tcp_flags","raw_packet","sector"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,80,node01.example.com,synfulknock,64512,ZZ,Region,City,0,,0,791102,8192,0,4608,3cfdfec601e4700f6a9a200008004500003453270000f506cf2ec5d32d42b869f7ee0050ca5100000000000c123e80122000cea90000020405b40101040201030305,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,80,node02.example.com,synfulknock,64512,ZZ,Region,City,0,,0,791102,8192,0,4608,90e2baaf0984700f6a9a200008004500003474250000ef06163cd2152b6ab8698b790050c57b00000000000c123e80122000358b0000020405b40101040201030305,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,80,node03.example.com,synfulknock,64512,ZZ,Region,City,0,,0,791102,8192,0,4608,0025b51100eab08bcf156b00080045000034eefa0000f3065151d98b6b9a413101210050dc7900000000000c123e80122000d8770000020405b40101040201030305,

Our 131 Report Types

« Back to Network Reporting