I have also seen the same potential intrusion from our Snort logs as
follows:-
11:05:18.603917 255.255.255.255.31337 > xxx.xxx.xxx.xx.515: R 0:3(3) ack
0 win 0
0x0000 4500 002b 0000 0000 0e06 1900 ffff ffff E..+............
0x0010 cab9 c914 7a69 0203 0000 0000 0000 0000 ....zi..........
0x0020 5014 0000 cd27 0000 636b 6f00 0000 P....'..cko...
Anyone else seen this and can anyone explain what this is?!?!
On 30 Apr 2001 15:54:48 +0900, le wrote:
> Hello, I am in a Class B network, and a few days ago, I found the following
> log in my snort log.
>
> [**] BACKDOOR Q access [**]
> 04/22-05:54:25.295925 0:0:C:8:D5:6 -> 0:10:11:FF:E0:0 type:0x800 len:0x3C
> 255.255.255.255:31337 -> ***.***.106.102:515 TCP TTL:12 TOS:0x0 ID:0 IpLen:20
> Dg
> mLen:43
> ***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
>
> I logged these packets with
> % snoop -o 255255255255.log src 255.255.255.255
> and I get the following results.
> ------------------------
> outpu of %snoop -i 255255255255.log
>
> 1 0.00000 BROADCAST -> ***.***.33.183 PRINTER C port=31337 cko
> 2 2903.93550 BROADCAST -> ***.***.32.36 PRINTER C port=31337 cko
> 3 13652.70806 BROADCAST -> ***.***.25.143 PRINTER C port=31337 cko
> 4 4689.02603 BROADCAST -> ***.***.141.208 PRINTER C port=31337 cko
> 5 7861.77142 BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko
> 6 2121.38985 BROADCAST -> ***.***.20.173 PRINTER C port=31337
> 7 10109.13101 BROADCAST -> ***.***.35.28 PRINTER C port=31337
> -------------------------
> output of % snoop -i 255255255255.log -x0
>
> 5 7861.77142 BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko
> 0: 0010 11ff e000 0000 0c08 d506 0800 4500 ..............E.
> 16: 002b 0000 0000 0c06 ebfe ffff ffff **** .+..............
> 32: 2566 7a69 0203 0000 0000 0000 0000 5014 %fzi..........P.
> 48: 0000 9e26 0000 636b 6fa1 3d7b ...&..cko.={
>
> 6 2121.38985 BROADCAST -> ***.***.20.173 PRINTER C port=31337
> 0: 0010 11ff e000 0000 0c08 d506 0800 4500 ..............E.
> 16: 0028 1956 0000 ef06 0064 ffff ffff **** .(.V.....d...
> 32: 14ad 7a69 0203 0000 0000 0000 0000 5004 ..zi..........P.
> 48: 0000 815e 0000 4854 5450 2f31 ...^..HTTP/1
>
> ----------------------------
> I noticed following things.
> 1) The destination addrss of these packets seems to be randomly generated, as
>
> these address are unused ones.
> 2) There seems to have 2kind of packets, one with "cko" in payload and other
> without it.
> 3) TTL of packets with "cko" are 12 seconds/hops or so for packets with"cko",
>
> and 239 seconds/hops or so for packets without "cko".
>
> Can anyone explain what is going on?
>
--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Gnome PGP version 0.4
mQGiBDqy3i0RBAC6tQFBI5i+pb94Fm74Gmpnh7kUN39LqoTnT5cYgt8UI+v2C/gK
rF39UutfOdqCpM7vJt5zHveTO0zjOrKyChQW3yhBElYVvgCuhPiLNGDVlndl4Wfr
ePbM5PaTqfFq0XXxPdIVbAcRh0iPEsw2kgC3D6pRpzwR5erfoDyU+0RudwCg2pfM
dDModI5P/dFrfMn6gqTUOWED/Rp3dMcqDBy2KUZimCHi+VbkWkSjw6+087cqBqHQ
68MChZ6JpfFgFU23JzRVkZJpcQQiqP+x+eEkqFPkXOd0Gyg2Rg78bR8WDIicMzE0
r1ptOLKcw5KPU/8VNX5EQHo/qrZCub7P5n5gU0G4gF1W7dLoNExVkCsVamYuxeqo
IWE4A/4916LwXtz+Y5gSvtBRmJfrkxGXCSowewr4VyunlfCYi7jg5f2TjNlHsLA1
+2Xw4Ogohi4ffzA0LgkHlvNFEoTPjqKlxXRhQGKME49SBaa6gictCa32opULQHPr
zEAXa2rcdMgeLBjzEXL1Lk/4LapLF9vG6azkFkdoWnYXdYHs/7Q2UGF0cmljayBD
aGVvbmcgU2h1IFlhbmcgPHBhdHJpY2suY2hlb25nQGhpdGVjaC5jb20ubXk+iF0E
ExECAB0FAjqy3i0FCQB2pwAFCwcKAwQDFQMCAxYCAQIXgAAKCRCzEbYEcG/iZDcF
AKDV3hM6VD5OYhov6c5iiWiaS2DC+ACg2MwB3+25OOLqEq9r2E1hxcHLgq25AQ0E
OrLeMxAEAIL7sKrALiAqKO+lNb86z92QGab8882XQTjRzSd5eOacaAigYjMvSjll
02tUJPQYhllbws3bTs2fTw+rKNZowfXehhURLNz6MnnGqRbuNJ+RzSJlEn51mMVn
YzV3wcGtPga8c40ITSj1ngQtqGGJy6uOZNh6P5Yv38wyhYOLRmxTAAMFA/4yiCnr
Wm4W2h4kIjc1OVuXrELWb775wc6dW0PsEkzNfp5XHZ8r840RYCa4B8zsRDZlr06r
v9EIFj/AoWAOdrgIUy6B1jkAkd1q8CEMCJaDJ9HyUb2yBJdSxcDzM0ouotWHFYGb
xTdvLObBgdbccsG7g4NR72IVUVvbZBJIMJ66qIhMBBgRAgAMBQI6st4zBQkAdqcA
AAoJELMRtgRwb+JkP5kAn0Bde2Kge/R8HO8wLKZZnxv9qBiqAJsHtdXbfEqnVbGU
k0g662N/wukyMg==
=jyGE
-----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 13:52:53 PDT