Snort mailing list archives
Compromising Packet...
From: "Dusty Hall" <halljer () auburn edu>
Date: Mon, 26 Jan 2004 11:38:52 -0600
I'm curious to know if anyone has seen anything like this before. A few packets were sent to port 2502... a few seconds later port 2503 was opened up with Serv-U installed; tlist.exe and kill.exe were uploaded and then they had a shell. After that it looks like "SUB0T" was setup, irc channel and pass were captured in other packets. Its supposedly an XP system with current patches. Any help would be greatly appreciated. The the first packet Snort captured is attached.. Thanks, -Dusty
Attachment:
comp.txt
Description:
Current thread:
- Compromising Packet... Dusty Hall (Jan 26)
- <Possible follow-ups>
- Compromising Packet... Dusty Hall (Jan 26)
- RE: Compromising Packet... Dusty Hall (Jan 26)