[Snort-users] Odd packets... maybe a new Trojan?

Daniel Harrison danielh at ...690...
Wed Oct 25 19:43:40 EDT 2000


You could have taken that packet off my snort logs on my home machine. The exact
same except for the home address and they did mine on 10/22. Someone has been
busy and now I don't feel left out! =)

dan

DmuZ wrote:

> I received the same scan... also from a BellSouth adsl IP. Did not think
> nuch of it at the time.. seeing as how port 9704 is closed.
>
> Here is a paste from snortsnarf...
>
> [**] SCAN-SYN FIN [**]
> 10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404
>
> Perhaps we should alert incidents at ...35... to see how widespread
> this is?
>
> IMHO, this appears to be someone looking for a backdoor/rootkit that is set
> up to run on 9704... maybe they know of a backdoor in the backdoor??? After
> all how many script kiddes actually look at all that C code before they use
> a root kit?
>
> DmuZ
>

<snip>




More information about the Snort-users mailing list