Security Incidents mailing list archives
Re: Help with an odd log file...
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Sun, 08 Jun 2003 13:41:17 -0400
More info: I have captures from some non-primary probing addresses now. The non-primary addresses have not been repeating at all. When addresses probes my target port 8247, they all use the same sequence number 2773619225, window size 55808, and WS: 2. Source ports vary and have even included port 0. ID varies by probing address (but is still usually 14921 on mine), as does MSS (1400 or 1416 or 1436, etc). More speculation: So if this is a botnet, the TCP seq might identify a subset of the network itself, or it could be related to the target. Dest port might be the triggering factor for the listening trojan, and source port and source address might be the command being issued. Window 55808 and WS: 2 appear to be universal since everyone has reported the same. MSS 1460 appears to be universal for primary probing addresses. Has anyone found the any of the sequence numbers posted to the list on any other network? ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Help with an odd log file..., (continued)
- Re: Help with an odd log file... morning_wood (Jun 04)
- Re: Help with an odd log file... Fabio Panigatti (Jun 05)
- Re: Help with an odd log file... Fabio Panigatti (Jun 10)
- RE: Help with an odd log file... Brad Bemis (Jun 05)
- Re: Help with an odd log file... sec_slave (Jun 05)
- RE: Help with an odd log file... Golden Faron P Contr HQ SSG/SWSN (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 09)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 12)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 10)