[Snort-sigs] new Q signature

Jon warchild at ...288...
Thu Feb 27 20:07:03 EST 2003

Its been nearly a month now, and I'm only slightly closer to getting to the
bottom of this.  

As previously mentioned, I've been using the following rule to track any
machines that spew packets containg 'cko', which is associated with the Q

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
traffic"; content:"cko"; depth:3; dsize:3;)

I've compiled some information about this traffic in the hopes that it
helps someone.  Since my first email (beginning of Februrary), I've caught
2042 packets coming into my network that tripped this signature.

Common characteristics for all of these packets include:

* all tcp
* low ttl 
* ACK and PSH flags set
* sequence # set
* payload is "cko"

In terms of most popular ports:

Qty   |  Dst Port
1184     80 (http)
59       25 (smtp)
11       993 (imaps)
5        22 (ssh)

Qty   |  Src Port
629      80 (http)
96       25 (smtp)
33       443 (https)
11       457 (scohelp via NCSA)

In terms of most talkative hosts:

Qty   | IP              | Comment(s)
251     All from port 80 on an Apache webserver
183    All from port 80 on an IIS (5.1) webserver
88     All to port 80 on an Apache webserver
84      All from port 80 on an IIS (5.0) webserver
80      All to/from port 25 on a WorldMail mailserver

Traffic leading up to the final 'cko' packets always seems very routine --
your average web browse, mail traffic, etc.  All source hosts that were not
the server in the connection seem to be random dialup/dsl machines from
around the globe.

Any feedback or information about these (or other similar) "attacks" would
be much appreciated, either publicly on this list or privately via email.

Fyi and thanks,


More information about the Snort-sigs mailing list