Backdoor Q access?

From: le (secat_private)
Date: Sun Apr 29 2001 - 23:54:48 PDT

  • Next message: John: "Re: IP 1.2.3.4"

    Hello, I am in a Class B network, and a few days ago, I found the following
    log in my snort log.
    
    [**] BACKDOOR Q access [**]
    04/22-05:54:25.295925 0:0:C:8:D5:6 -> 0:10:11:FF:E0:0 type:0x800 len:0x3C
    255.255.255.255:31337 -> ***.***.106.102:515 TCP TTL:12 TOS:0x0 ID:0 IpLen:20
    Dg
    mLen:43
    ***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20
    
    I logged these packets with
    % snoop -o 255255255255.log src 255.255.255.255
    and I get the following results.
    ------------------------
    outpu of  %snoop -i 255255255255.log
    
      1   0.00000    BROADCAST -> ***.***.33.183 PRINTER C port=31337 cko
      2 2903.93550    BROADCAST -> ***.***.32.36 PRINTER C port=31337 cko
      3 13652.70806    BROADCAST -> ***.***.25.143 PRINTER C port=31337 cko
      4 4689.02603    BROADCAST -> ***.***.141.208 PRINTER C port=31337 cko
      5 7861.77142    BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko
      6 2121.38985    BROADCAST -> ***.***.20.173 PRINTER C port=31337
      7 10109.13101    BROADCAST -> ***.***.35.28 PRINTER C port=31337
     -------------------------
    output of % snoop -i 255255255255.log -x0
    
     5 7861.77142    BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko
               0: 0010 11ff e000 0000 0c08 d506 0800 4500    ..............E.
              16: 002b 0000 0000 0c06 ebfe ffff ffff ****    .+..............
              32: 2566 7a69 0203 0000 0000 0000 0000 5014    %fzi..........P.
              48: 0000 9e26 0000 636b 6fa1 3d7b              ...&..cko.={
    
      6 2121.38985    BROADCAST -> ***.***.20.173 PRINTER C port=31337
               0: 0010 11ff e000 0000 0c08 d506 0800 4500    ..............E.
              16: 0028 1956 0000 ef06 0064 ffff ffff ****    .(.V.....d...
              32: 14ad 7a69 0203 0000 0000 0000 0000 5004    ..zi..........P.
              48: 0000 815e 0000 4854 5450 2f31              ...^..HTTP/1
    
    ----------------------------
    I noticed following things.
    1) The destination addrss of these packets seems to be randomly generated, as
    
    these address are unused ones.
    2) There seems to have 2kind of packets, one with "cko" in payload and other
    without it.
    3) TTL of packets with "cko" are 12 seconds/hops or so for packets with"cko",
    
      and 239 seconds/hops or so for packets without "cko".
    
    Can anyone explain what is going on?
    



    This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 09:57:10 PDT