[Snort-users] Typot BACKDOOR

David dwad24 at ...722...
Fri May 28 21:19:05 EDT 2004


Hey Jussx,



Probably just a false positive.  This rule is triggered when a syn packet with window size 55808 is detected.  This traffic can occur naturally from time to time.  Have you looked at the payload to see if it looks like normal emule traffic?



Dave









 --- On Fri 05/28, _JusSx_ < jussx0 at ...5849... > wrote:

From: _JusSx_ [mailto: jussx0 at ...5849...]

To: snort-users at lists.sourceforge.net

Date: Fri, 28 May 2004 21:25:09 +0200

Subject: [Snort-users] Typot  BACKDOOR



Hi,<br>I  got some odd logs from snort. I got log such as <br><br>May 28 21:19:29<br>localhost snort: [1:2182:3] BACKDOOR typot trojan traffic<br>[Classification: A Network Trojan was detected] [Priority: 1]: {TCP}<br>62.61.133.250:3135 -> 192.168.0.2:4662<br><br>Port 4662 is used by mldonkey and edonkey users are allowed to connect<br>to because my router and my firewall are set so.<br>Well what does it mean? is my box infected by typot backdoor? or are<br>infected computers scanning my box?<br><br>Thanx in advance<br><br><br>-- <br>Attachment: Attachment  (0.19KB)<br>

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!




More information about the Snort-users mailing list