Backdoor Q access?

From: Jeff Peterson (Jpetersonat_private)
Date: Fri May 04 2001 - 15:21:16 PDT

  • Next message: Jason Storm: "Re: Backdoor Q access?" 

    OK, so I went back to the IRC that causes my printers to send an ICMP ACK.
(???).  I noticed a bunch of traffic, so I caused the prog to abend on
purpose. I get the unrequested response from my printers, and then my e-mail
shows the following returned mail. Note address.  Related, or innocent?

-----Original Message-----
From: Mail Delivery Subsystem
[mailto:MAILER-DAEMON@mail-in.namezero.com]
Sent: Friday, May 04, 2001 2:49 PM
To: Jpetersonat_private
Subject: Returned mail: see transcript for details


The original message was received at Fri, 4 May 2001 12:31:24 -0700 (PDT)
from localhost [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<darklord2000.comat_private>
    (reason: 550 User unknown)

   ----- Transcript of session follows -----
... while talking to inbound.namezero.com.criticalpath.net.:
>>> RCPT To:<darklord2000.comat_private>
<<< 550 User unknown
550 5.1.1 <darklord2000.comat_private>... User unknown

    attached mail follows:

    This seems to have something to do with IRC. Almost every time I connect to a certain IRC, I get this probe. Possibly somebody looking for a certain trojan? -----Original Message----- From: le [mailto:secat_private] Sent: Sunday, April 29, 2001 11:55 PM To: INCIDENTSat_private Subject: Backdoor Q access? Hello, I am in a Class B network, and a few days ago, I found the following log in my snort log. [**] BACKDOOR Q access [**] 04/22-05:54:25.295925 0:0:C:8:D5:6 -> 0:10:11:FF:E0:0 type:0x800 len:0x3C 255.255.255.255:31337 -> ***.***.106.102:515 TCP TTL:12 TOS:0x0 ID:0 IpLen:20 Dg mLen:43 ***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 I logged these packets with % snoop -o 255255255255.log src 255.255.255.255 and I get the following results. ------------------------ outpu of %snoop -i 255255255255.log 1 0.00000 BROADCAST -> ***.***.33.183 PRINTER C port=31337 cko 2 2903.93550 BROADCAST -> ***.***.32.36 PRINTER C port=31337 cko 3 13652.70806 BROADCAST -> ***.***.25.143 PRINTER C port=31337 cko 4 4689.02603 BROADCAST -> ***.***.141.208 PRINTER C port=31337 cko 5 7861.77142 BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko 6 2121.38985 BROADCAST -> ***.***.20.173 PRINTER C port=31337 7 10109.13101 BROADCAST -> ***.***.35.28 PRINTER C port=31337 ------------------------- output of % snoop -i 255255255255.log -x0 5 7861.77142 BROADCAST -> ***.***.37.102 PRINTER C port=31337 cko 0: 0010 11ff e000 0000 0c08 d506 0800 4500 ..............E. 16: 002b 0000 0000 0c06 ebfe ffff ffff **** .+.............. 32: 2566 7a69 0203 0000 0000 0000 0000 5014 %fzi..........P. 48: 0000 9e26 0000 636b 6fa1 3d7b ...&..cko.={ 6 2121.38985 BROADCAST -> ***.***.20.173 PRINTER C port=31337 0: 0010 11ff e000 0000 0c08 d506 0800 4500 ..............E. 16: 0028 1956 0000 ef06 0064 ffff ffff **** .(.V.....d... 32: 14ad 7a69 0203 0000 0000 0000 0000 5004 ..zi..........P. 48: 0000 815e 0000 4854 5450 2f31 ...^..HTTP/1 ---------------------------- I noticed following things. 1) The destination addrss of these packets seems to be randomly generated, as these address are unused ones. 2) There seems to have 2kind of packets, one with "cko" in payload and other without it. 3) TTL of packets with "cko" are 12 seconds/hops or so for packets with"cko", and 239 seconds/hops or so for packets without "cko". Can anyone explain what is going on?

    This archive was generated by hypermail 2b30 : Fri May 04 2001 - 15:34:25 PDT