[Snort-sigs] Schneckenkorn Trojan Scan?

Robert Wagner rwagner at ...447...
Tue Apr 23 08:21:43 EDT 2002


I noticed this catch:

Apr 23 09:59:59 myids.com snort[17563]: [1:0:0] LOCAL Misc high port scan
{TCP} 64.212.171.241:6667 -> myip:1219 

I think this may be Schneckenkorn Trojan.  Does anyone have a good signature
for this?

http://www.megasecurity.org/trojans/s/schneckenkorn/Schneckenkorn1.0.html

[**] LOCAL Misc high port scan [**]
04/23-10:08:50.277490 64.212.171.241:6667 -> myip:1219
TCP TTL:52 TOS:0x0 ID:60865 IpLen:20 DgmLen:44
***A**S* Seq: 0x8F5FDB23  Ack: 0xD193DF61  Win: 0x1000  TcpLen: 24
TCP Options (1) => MSS: 1460
0x0000: 00 10 DB 01 3A 31 00 E0 63 17 88 A1 08 00 45 00  ....:1..c.....E.
0x0010: 00 2C ED C1 00 00 34 06 3C 4D 40 D4 AB F1 xx xx  .,....4.<M at ...552...,
0x0020: xx xx 1A 0B 04 C3 8F 5F DB 23 D1 93 DF 61 60 12  ......._.#...a`.
0x0030: 10 00 F1 11 00 00 02 04 05 B4 00 00              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I am attempting this signature:

alert tcp $EXTERNAL_NET 1023: -> $HOME_NET 1219 (msg:"BACKDOOR Schneckenkorn
attempt";flags: AS+;  classtype:misc-activity; rev:1;)





More information about the Snort-sigs mailing list