[Snort-users] Odd packets... maybe a new Trojan?

Tom Whipp twhipp at ...63...
Wed Oct 25 05:06:51 EDT 2000


Hi all,

	I got scanned last night, but I haven't the faintest idea what this
signature represents... about half the hosts in my subnet got the following
packets allegedly from an Iranian university network.

Source/Dest port	9704
ID			39426
Ack			0x7A019CB1

Given that the ID and ack are identical in all packets it doesn't look like
a vanilla port scan, so my guess is that this represents the initial stage
of a Trojan client/server connection... but of course that's complete
conjecture.

I've tried to check whitehats but can get in, I've done some general web
searches but can't find anything and I've taken a look in the 10102k.rules
file but it doesn't seem to have any equivalent rule.

any thoughts?

	Tom

PS:

Here is an extract from my logs... not sure if it will tell you anything
more than above but it seems worth a shot.

[**] SCAN-SYN FIN [**]
10/24-18:40:33.351849 213.29.27.30:9704 -> xxx.xxx.xxx.1:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.451830 213.29.27.30:9704 -> xxx.xxx.xxx.2:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.454766 213.29.27.30:9704 -> xxx.xxx.xxx.3:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
10/24-18:40:33.462549 213.29.27.30:9704 -> xxx.xxx.xxx.5:9704
TCP TTL:21 TOS:0x0 ID:39426
**SF**** Seq: 0x263B3402   Ack: 0x7A019CB1   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





More information about the Snort-users mailing list