Snort mailing list archives
Re: 0.x.x.x source IP
From: "Rob Schrack" <rob_schrack () urmc rochester edu>
Date: Fri, 12 Dec 2003 22:03:54 -0500
Some possible direction http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html http://vil.nai.com/vil/content/v_100406.htm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF_TYPOT.A We have also seen a flood of these alerts. What we saw doesn't quite match any of the trojan descriptions above: fixed destination address, random then fixed dest port, MUCH faster than one per second, only lasted 14 minutes. But you're definitely not alone... ----- Original Message ----- From: "snort" <snort () jbrfoods com> To: <snort-users () lists sourceforge net> Sent: Friday, December 12, 2003 11:58 AM Subject: [Snort-users] 0.x.x.x source IP
Hello All, I have been seeing "a lot" of these lately, could anybody offer any suggestions to what this may be. I have searched for "0.69.249.132" and port 57989, but did not find much supporting material. The destination IP does not accept connections on port 57989. I am not too worried as there is no payload in the packets, but would like you thoughts. Best Regards, Matt --------------------------------------------------------------------------
----
#(3 - 22400) [2003-12-10 17:35:25] [snort/2182] BACKDOOR typot trojan traffic IPv4: 0.69.249.132 -> x.x.x.x hlen=5 TOS=0 dlen=52 ID=64754 flags=0 offset=0 TTL=114 chksum=20248 TCP: port=39556 -> dport: 57989 flags=******S* seq=3614539496 ack=0 off=8 res=0 win=55808 urp=0 chksum=50423 Options: #1 - MSS len=2 data=05B4 #2 - NOP len=0 #3 - WS len=1 data=02 #4 - NOP len=0 #5 - NOP len=0 #6 - SACKOK len=0 Payload: none ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 0.x.x.x source IP snort (Dec 12)
- Re: 0.x.x.x source IP Rob Schrack (Dec 12)