Snort mailing list archives
Hack attempts?
From: "Sid" <s_i_d_j () yahoo com>
Date: Mon, 11 Jun 2001 22:38:04 +0530
Hi, I logged these packets :- TCP:1981-1366 :::::::::::::: [**] IDS59/trojan_trojan-active-shockrave [**] 06/11-11:16:18.017461 internal_ip:1981 -> 203.197.4.5:1366 TCP TTL:127 TOS:0x0 ID:37383 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x36FDF8E8 Ack: 0x2ADD5 Win: 0x2058 TcpLen: 24 TCP Options (1) => MSS: 1380 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ :::::::::::::: TCP:2001-1386 :::::::::::::: [**] IDS40/trojan_trojan-active-trojancow [**] 06/11-11:16:52.287504 internal_ip:2001 -> 203.197.4.5:1386 TCP TTL:127 TOS:0x0 ID:30984 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x387DA94B Ack: 0x2AE7C Win: 0x2058 TcpLen: 24 TCP Options (1) => MSS: 1380 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ :::::::::::::: TCP:2283-1711 :::::::::::::: [**] IDS93/trojan_trojan-active-hvlrat5 [**] 06/11-11:26:38.423335 internal_ip:2283 -> 203.197.4.5:1711 TCP TTL:127 TOS:0x0 ID:63516 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x93ECCB63 Ack: 0x2B8DA Win: 0x2058 TcpLen: 24 TCP Options (1) => MSS: 1380 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ :::::::::::::: TCP:2583-2076 :::::::::::::: [**] IDS35/trojan_trojan-active-wincrash2 [**] 06/11-11:45:16.057263 internal_ip:2583 -> 203.197.4.5:2076 TCP TTL:127 TOS:0x0 ID:10558 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x51427B79 Ack: 0x2C6EA Win: 0x2058 TcpLen: 24 TCP Options (1) => MSS: 1380 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ :::::::::::::: TCP:2801-2624 :::::::::::::: [**] IDS71/trojan_trojan-active-phineas [**] 06/11-13:16:21.429848 internal_ip:2801 -> 203.197.4.5:2624 TCP TTL:127 TOS:0x0 ID:148 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x70861339 Ack: 0x2E124 Win: 0x2058 TcpLen: 24 TCP Options (1) => MSS: 1380 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ In all the packets, the victim sends Ack+Syn (am i right? ) to the attacker. Does it mean this host is compromised. The victim is behind a firewall and attacked ports are not open. I ran nmap on the victim and couldn't find these ports to be open. So, whats the verdict? Siddhartha _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hack attempts? Sid (Jun 11)