[Snort-users] Odd packets... maybe a new Trojan?

Daniel Harrison danielh at ...690...
Wed Oct 25 19:43:40 EDT 2000

You could have taken that packet off my snort logs on my home machine. The exact
same except for the home address and they did mine on 10/22. Someone has been
busy and now I don't feel left out! =)


DmuZ wrote:

> I received the same scan... also from a BellSouth adsl IP. Did not think
> nuch of it at the time.. seeing as how port 9704 is closed.
> Here is a paste from snortsnarf...
> [**] SCAN-SYN FIN [**]
> 10/23-04:54:46.999137> my.ho.me.ip:9704
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404
> Perhaps we should alert incidents at ...35... to see how widespread
> this is?
> IMHO, this appears to be someone looking for a backdoor/rootkit that is set
> up to run on 9704... maybe they know of a backdoor in the backdoor??? After
> all how many script kiddes actually look at all that C code before they use
> a root kit?
> DmuZ


More information about the Snort-users mailing list