[Snort-sigs] content = leech at ...548...

Jeff Robinson jdrobinson at ...546...
Mon Apr 22 15:04:25 EDT 2002


Has anyone seen content leech at ...547... going to many different TCP ports
and many different IP destinations on their networks?  I find this really
odd.

[**] [1:0:0] leech at ...548... [**]
04/22-17:00:02.288768 205.188.165.121:80 -> home_net:53127
TCP TTL:45 TOS:0x0 ID:22542 IpLen:20 DgmLen:40
***A***F Seq: 0x6FB3E703  Ack: 0x50A721BA  Win: 0x4000  TcpLen: 20

[**] [1:0:0] leech at ...548... [**]
04/22-17:00:02.288768 205.188.165.121:80 -> home_net:53127
TCP TTL:45 TOS:0x0 ID:22543 IpLen:20 DgmLen:40
***A***F Seq: 0x6FB3E703  Ack: 0x50A721BB  Win: 0x4000  TcpLen: 20

[**] [1:0:0] leech at ...548... [**]
04/22-17:00:02.288768 217.82.180.26:37555 -> home_net:2725
TCP TTL:114 TOS:0x0 ID:12329 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x97E8C5DA  Ack: 0xD815F2AE  Win: 0x7FFF  TcpLen: 20

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020422/512d4af0/attachment.html>


More information about the Snort-sigs mailing list