[Snort-sigs] Schneckenkorn Trojan Scan?

Joe Matusiewicz joem at ...555...
Tue Apr 23 10:01:34 EDT 2002


At 11:18 AM 4/23/02, Robert Wagner wrote:
>I noticed this catch:
>
>Apr 23 09:59:59 myids.com snort[17563]: [1:0:0] LOCAL Misc high port scan
>{TCP} 64.212.171.241:6667 -> myip:1219
>
>I think this may be Schneckenkorn Trojan.  Does anyone have a good signature
>for this?
>
>http://www.megasecurity.org/trojans/s/schneckenkorn/Schneckenkorn1.0.html
>
>[**] LOCAL Misc high port scan [**]
>04/23-10:08:50.277490 64.212.171.241:6667 -> myip:1219
>TCP TTL:52 TOS:0x0 ID:60865 IpLen:20 DgmLen:44
>***A**S* Seq: 0x8F5FDB23  Ack: 0xD193DF61  Win: 0x1000  TcpLen: 24
>TCP Options (1) => MSS: 1460
>0x0000: 00 10 DB 01 3A 31 00 E0 63 17 88 A1 08 00 45 00  ....:1..c.....E.
>0x0010: 00 2C ED C1 00 00 34 06 3C 4D 40 D4 AB F1 xx xx  .,....4.<M at ...552...,
>0x0020: xx xx 1A 0B 04 C3 8F 5F DB 23 D1 93 DF 61 60 12  ......._.#...a`.
>0x0030: 10 00 F1 11 00 00 02 04 05 B4 00 00              ............
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


I don't have a sig for this schecklekorn thing, but my logs show 532 
packets trying to get to my network from this source address going to 
random addresses in my network.  The source port is always 6667 and the 
destination port changes.  All packets have the SYN/ACK flags set.  Since 
port 6667 is usually used by IRC servers, I assumed someone got ticked off 
at somebody and decided to DOS this IRC server.  But I could be wrong 
because I haven't checked what or if anything was running on this host on 
port 6667.

-- Joe





More information about the Snort-sigs mailing list