Snort mailing list archives

Hack attempts?

From: "Sid" <s_i_d_j () yahoo com>
Date: Mon, 11 Jun 2001 22:38:04 +0530
Hi,

I logged these packets :-

TCP:1981-1366
::::::::::::::
[**] IDS59/trojan_trojan-active-shockrave [**]
06/11-11:16:18.017461 internal_ip:1981 -> 203.197.4.5:1366
TCP TTL:127 TOS:0x0 ID:37383 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x36FDF8E8  Ack: 0x2ADD5  Win: 0x2058  TcpLen: 24
TCP Options (1) => MSS: 1380

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

::::::::::::::
TCP:2001-1386
::::::::::::::
[**] IDS40/trojan_trojan-active-trojancow [**]
06/11-11:16:52.287504 internal_ip:2001 -> 203.197.4.5:1386
TCP TTL:127 TOS:0x0 ID:30984 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x387DA94B  Ack: 0x2AE7C  Win: 0x2058  TcpLen: 24
TCP Options (1) => MSS: 1380

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

::::::::::::::
TCP:2283-1711
::::::::::::::
[**] IDS93/trojan_trojan-active-hvlrat5 [**]
06/11-11:26:38.423335 internal_ip:2283 -> 203.197.4.5:1711
TCP TTL:127 TOS:0x0 ID:63516 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x93ECCB63  Ack: 0x2B8DA  Win: 0x2058  TcpLen: 24
TCP Options (1) => MSS: 1380

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

::::::::::::::
TCP:2583-2076
::::::::::::::
[**] IDS35/trojan_trojan-active-wincrash2 [**]
06/11-11:45:16.057263 internal_ip:2583 -> 203.197.4.5:2076
TCP TTL:127 TOS:0x0 ID:10558 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x51427B79  Ack: 0x2C6EA  Win: 0x2058  TcpLen: 24
TCP Options (1) => MSS: 1380

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

::::::::::::::
TCP:2801-2624
::::::::::::::
[**] IDS71/trojan_trojan-active-phineas [**]
06/11-13:16:21.429848 internal_ip:2801 -> 203.197.4.5:2624
TCP TTL:127 TOS:0x0 ID:148 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x70861339  Ack: 0x2E124  Win: 0x2058  TcpLen: 24
TCP Options (1) => MSS: 1380

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


In all the packets, the victim sends Ack+Syn (am i right? ) to the attacker.
Does it mean this host is compromised. The victim is behind a firewall and
attacked ports are not open. I ran nmap on the victim and couldn't find
these ports to be open.

So, whats the verdict?

Siddhartha



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Hack attempts? Sid (Jun 11)