On Mon, 30 Apr 2001, Joshua Fritsch wrote:
> I got hit on the 27th around 2AM.
>
> However, about an hour prior to that I got a back orifice "info" query from
> a RoadRunner (rr.com) address, which leads me to believe they forgot to mask
> themselves on the first run. Logs follow.
There are several differences.
> [**] IDS399 - BackOrifice1-info [**]
> 04/27-00:43:39.769935 24.92.246.190:3875 -> X.X.X.X:31337
> UDP TTL:15 TOS:0x0 ID:8763 IpLen:20 DgmLen:46
> Len: 26
>
> [**] IDS188/trojan-probe-back-orifice [**]
> 04/27-01:58:57.786281 1.2.3.4:1024 -> X.X.X.X:31337
> UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
> Len: 59
>
(two duplicate blocks removed)
>
> [**] IDS188/trojan-probe-back-orifice [**]
> 04/27-02:21:41.751641 1.2.3.4:1024 -> X.X.X.X:31337
> UDP TTL:110 TOS:0x0 ID:3482 IpLen:20 DgmLen:79
> Len: 59
The first entry is smaller and exibits some other differences as well.
I got 5 hits recorded by snort that all are similar to your first entry
but originating from 5 differen addresses.
While I can't say they may not be the cause it is impossible to say they
are.
Hugo.
PS: It would be nice if all ISP's and backbones would block spoofed IP
addresses.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 17:55:20 PDT