[Snort-users] 0.x.x.x source IP

snort snort at ...10753...
Fri Dec 12 09:00:01 EST 2003




Hello All,

I have been seeing "a lot" of these lately, could anybody offer any
suggestions to what this may be.  I have searched for "0.69.249.132" and
port 57989, but did not find much supporting material.  The destination IP
does not accept connections on port 57989.  I am not too worried as there
is no payload in the packets, but would like you thoughts.

Best Regards,

Matt

------------------------------------------------------------------------------
#(3 - 22400) [2003-12-10 17:35:25] [snort/2182]  BACKDOOR typot trojan
traffic
IPv4: 0.69.249.132 -> x.x.x.x
      hlen=5 TOS=0 dlen=52 ID=64754 flags=0 offset=0 TTL=114 chksum=20248
TCP:  port=39556 -> dport: 57989  flags=******S* seq=3614539496
      ack=0 off=8 res=0 win=55808 urp=0 chksum=50423
      Options:
       #1 - MSS len=2 data=05B4
       #2 - NOP len=0
       #3 - WS len=1 data=02
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - SACKOK len=0
Payload: none





More information about the Snort-users mailing list