[Snort-users] 0.x.x.x source IP

Rob Schrack rob_schrack at ...10758...
Fri Dec 12 19:04:03 EST 2003


Some possible direction
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html
http://vil.nai.com/vil/content/v_100406.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF_TYPOT.A


We have also seen  a flood of these alerts.  What we saw doesn't quite match
any of the trojan descriptions above: fixed destination address, random then
fixed dest port, MUCH faster than one per second, only lasted 14 minutes.

But you're definitely not alone...



----- Original Message ----- 
From: "snort" <snort at ...10753...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, December 12, 2003 11:58 AM
Subject: [Snort-users] 0.x.x.x source IP


>
>
>
>
> Hello All,
>
> I have been seeing "a lot" of these lately, could anybody offer any
> suggestions to what this may be.  I have searched for "0.69.249.132" and
> port 57989, but did not find much supporting material.  The destination IP
> does not accept connections on port 57989.  I am not too worried as there
> is no payload in the packets, but would like you thoughts.
>
> Best Regards,
>
> Matt
>
> --------------------------------------------------------------------------
----
> #(3 - 22400) [2003-12-10 17:35:25] [snort/2182]  BACKDOOR typot trojan
> traffic
> IPv4: 0.69.249.132 -> x.x.x.x
>       hlen=5 TOS=0 dlen=52 ID=64754 flags=0 offset=0 TTL=114 chksum=20248
> TCP:  port=39556 -> dport: 57989  flags=******S* seq=3614539496
>       ack=0 off=8 res=0 win=55808 urp=0 chksum=50423
>       Options:
>        #1 - MSS len=2 data=05B4
>        #2 - NOP len=0
>        #3 - WS len=1 data=02
>        #4 - NOP len=0
>        #5 - NOP len=0
>        #6 - SACKOK len=0
> Payload: none
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list