On Mon, 30 Apr 2001, Joshua Fritsch wrote: > I got hit on the 27th around 2AM. > > However, about an hour prior to that I got a back orifice "info" query from > a RoadRunner (rr.com) address, which leads me to believe they forgot to mask > themselves on the first run. Logs follow. There are several differences. > [**] IDS399 - BackOrifice1-info [**] > 04/27-00:43:39.769935 24.92.246.190:3875 -> X.X.X.X:31337 > UDP TTL:15 TOS:0x0 ID:8763 IpLen:20 DgmLen:46 > Len: 26 > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-01:58:57.786281 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79 > Len: 59 > (two duplicate blocks removed) > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-02:21:41.751641 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:3482 IpLen:20 DgmLen:79 > Len: 59 The first entry is smaller and exibits some other differences as well. I got 5 hits recorded by snort that all are similar to your first entry but originating from 5 differen addresses. While I can't say they may not be the cause it is impossible to say they are. Hugo. PS: It would be nice if all ISP's and backbones would block spoofed IP addresses. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 17:55:20 PDT