IDS mailing list archives
Re: [Snort-sigs] new Q signature
From: Jon <warchild () spoofed org>
Date: Thu, 27 Feb 2003 23:08:01 -0500
Its been nearly a month now, and I'm only slightly closer to getting to the bottom of this. As previously mentioned, I've been using the following rule to track any machines that spew packets containg 'cko', which is associated with the Q backdoor: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor traffic"; content:"cko"; depth:3; dsize:3;) I've compiled some information about this traffic in the hopes that it helps someone. Since my first email (beginning of Februrary), I've caught 2042 packets coming into my network that tripped this signature. Common characteristics for all of these packets include: * all tcp * low ttl * ACK and PSH flags set * sequence # set * payload is "cko" In terms of most popular ports: Qty | Dst Port ----------------- 1184 80 (http) 59 25 (smtp) 11 993 (imaps) 5 22 (ssh) Qty | Src Port ----------------- 629 80 (http) 96 25 (smtp) 33 443 (https) 11 457 (scohelp via NCSA) In terms of most talkative hosts: Qty | IP | Comment(s) ---------------------------------------------------------------------------- 251 129.41.36.211 All from port 80 on an Apache webserver 183 216.75.196.140 All from port 80 on an IIS (5.1) webserver 88 80.15.172.140 All to port 80 on an Apache webserver 84 63.126.62.14 All from port 80 on an IIS (5.0) webserver 80 216.2.139.35 All to/from port 25 on a WorldMail mailserver Traffic leading up to the final 'cko' packets always seems very routine -- your average web browse, mail traffic, etc. All source hosts that were not the server in the connection seem to be random dialup/dsl machines from around the globe. Any feedback or information about these (or other similar) "attacks" would be much appreciated, either publicly on this list or privately via email. Fyi and thanks, -jon ----------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: [Snort-sigs] new Q signature Jon (Mar 02)