Compromising Packet...

["Dusty Hall" <halljer () auburn edu>]

I'm curious to know if anyone has seen anything like this before.  A few
packets were sent to port 2502... a few seconds later port 2503 was
opened up with Serv-U installed; tlist.exe and kill.exe were uploaded
and then they had a shell.  After that it looks like "SUB0T" was setup,
irc channel and pass were captured in other packets.  Its supposedly an
XP system with current patches.

Any help would be greatly appreciated.  The the first packet Snort
captured is attached..

Thanks,


-Dusty

Attachment: comp.txt
Description: