IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] new Q signature

From: Jon <warchild () spoofed org>
Date: Thu, 27 Feb 2003 23:08:01 -0500
Its been nearly a month now, and I'm only slightly closer to getting to the
bottom of this.  

As previously mentioned, I've been using the following rule to track any
machines that spew packets containg 'cko', which is associated with the Q
backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic"; content:"cko"; depth:3; dsize:3;)

I've compiled some information about this traffic in the hopes that it
helps someone.  Since my first email (beginning of Februrary), I've caught
2042 packets coming into my network that tripped this signature.

Common characteristics for all of these packets include:

* all tcp
* low ttl 
* ACK and PSH flags set
* sequence # set
* payload is "cko"

In terms of most popular ports:

Qty   |  Dst Port
-----------------
1184     80 (http)
59       25 (smtp)
11       993 (imaps)
5        22 (ssh)


Qty   |  Src Port
-----------------
629      80 (http)
96       25 (smtp)
33       443 (https)
11       457 (scohelp via NCSA)


In terms of most talkative hosts:

Qty   | IP              | Comment(s)
----------------------------------------------------------------------------
251      129.41.36.211     All from port 80 on an Apache webserver
183      216.75.196.140    All from port 80 on an IIS (5.1) webserver
88       80.15.172.140     All to port 80 on an Apache webserver
84       63.126.62.14      All from port 80 on an IIS (5.0) webserver
80       216.2.139.35      All to/from port 25 on a WorldMail mailserver


Traffic leading up to the final 'cko' packets always seems very routine --
your average web browse, mail traffic, etc.  All source hosts that were not
the server in the connection seem to be random dialup/dsl machines from
around the globe.

Any feedback or information about these (or other similar) "attacks" would
be much appreciated, either publicly on this list or privately via email.

Fyi and thanks,

-jon

-----------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Previous By Date Next
Previous By Thread Next

Current thread: