Im inclined to think this is some sort of worm.. and its definately doing its thing on IRC (the ip's that drew the packets are all used almost exclusively for irc); Mar 1 21:35:36 asspuma 11: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.196.44.58(31337) -> 64.149.133.155(515), 1 packet Mar 6 15:43:36 asspuma 445: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.196.44.58(31337) -> 64.149.133.58(515), 1 packet Mar 16 06:54:21 asspuma 1696: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.112.47.7(31337) -> 64.149.133.33(515), 1 packet Mar 26 13:54:18 asspuma 3055: %SEC-6-IPACCESSLOGP: list 101 denied tcp 151.200.27.97(31337) -> 64.149.133.209(515), 1 packet Mar 28 23:22:16 asspuma 3535: %SEC-6-IPACCESSLOGP: list 101 denied tcp 151.200.27.97(31337) -> 64.149.133.127(515), 1 packet Apr 1 23:32:58 asspuma 79: %SEC-6-IPACCESSLOGP: list 101 denied tcp 202.230.106.50(31337) -> 64.149.133.216(515), 1 packet Apr 29 17:45:57 asspuma 532: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.7(515), 1 packet Apr 29 18:14:35 asspuma 533: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.128(515), 1 packet May 3 00:12:13 asspuma 1934: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.79(515), 1 packet May 4 02:38:01 asspuma 2187: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.124(515), 1 packet May 4 05:04:11 asspuma 2316: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.123(515), 1 packet May 4 10:27:27 asspuma 2369: %SEC-6-IPACCESSLOGP: list 101 denied tcp 255.255.255.255(31337) -> 64.149.133.164(515), 1 packet > This seems to have something to do with IRC. Almost every time I connect to > a certain IRC, I get this probe. Possibly somebody looking for a certain > trojan? > > -----Original Message----- > From: le [mailto:secat_private] > Sent: Sunday, April 29, 2001 11:55 PM > To: INCIDENTSat_private > Subject: Backdoor Q access? > > > Hello, I am in a Class B network, and a few days ago, I found the following > log in my snort log. > > [**] BACKDOOR Q access [**] > 04/22-05:54:25.295925 0:0:C:8:D5:6 -> 0:10:11:FF:E0:0 type:0x800 len:0x3C > 255.255.255.255:31337 -> ***.***.106.102:515 TCP TTL:12 TOS:0x0 ID:0 > IpLen:20 > Dg > mLen:43 > ***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20 -Jason Storm Negation Industries "Only two things can stop an orgy; and thats dawn, or a bigger orgy across town."
This archive was generated by hypermail 2b30 : Fri May 04 2001 - 15:43:56 PDT