Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 0.x.x.x source IP

From: "Rob Schrack" <rob_schrack () urmc rochester edu>
Date: Fri, 12 Dec 2003 22:03:54 -0500
Some possible direction
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html
http://vil.nai.com/vil/content/v_100406.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF_TYPOT.A


We have also seen  a flood of these alerts.  What we saw doesn't quite match
any of the trojan descriptions above: fixed destination address, random then
fixed dest port, MUCH faster than one per second, only lasted 14 minutes.

But you're definitely not alone...



----- Original Message ----- 
From: "snort" <snort () jbrfoods com>
To: <snort-users () lists sourceforge net>
Sent: Friday, December 12, 2003 11:58 AM
Subject: [Snort-users] 0.x.x.x source IP







Hello All,

I have been seeing "a lot" of these lately, could anybody offer any
suggestions to what this may be.  I have searched for "0.69.249.132" and
port 57989, but did not find much supporting material.  The destination IP
does not accept connections on port 57989.  I am not too worried as there
is no payload in the packets, but would like you thoughts.

Best Regards,

Matt

--------------------------------------------------------------------------

----

#(3 - 22400) [2003-12-10 17:35:25] [snort/2182]  BACKDOOR typot trojan
traffic
IPv4: 0.69.249.132 -> x.x.x.x
      hlen=5 TOS=0 dlen=52 ID=64754 flags=0 offset=0 TTL=114 chksum=20248
TCP:  port=39556 -> dport: 57989  flags=******S* seq=3614539496
      ack=0 off=8 res=0 win=55808 urp=0 chksum=50423
      Options:
       #1 - MSS len=2 data=05B4
       #2 - NOP len=0
       #3 - WS len=1 data=02
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - SACKOK len=0
Payload: none



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: