Snort mailing list archives

Previous By Date Next
Previous By Thread Next

0.x.x.x source IP

From: snort <snort () jbrfoods com>
Date: Fri, 12 Dec 2003 08:58:56 -0800




Hello All,

I have been seeing "a lot" of these lately, could anybody offer any
suggestions to what this may be.  I have searched for "0.69.249.132" and
port 57989, but did not find much supporting material.  The destination IP
does not accept connections on port 57989.  I am not too worried as there
is no payload in the packets, but would like you thoughts.

Best Regards,

Matt

------------------------------------------------------------------------------
#(3 - 22400) [2003-12-10 17:35:25] [snort/2182]  BACKDOOR typot trojan
traffic
IPv4: 0.69.249.132 -> x.x.x.x
      hlen=5 TOS=0 dlen=52 ID=64754 flags=0 offset=0 TTL=114 chksum=20248
TCP:  port=39556 -> dport: 57989  flags=******S* seq=3614539496
      ack=0 off=8 res=0 win=55808 urp=0 chksum=50423
      Options:
       #1 - MSS len=2 data=05B4
       #2 - NOP len=0
       #3 - WS len=1 data=02
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - SACKOK len=0
Payload: none



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: