Re: Backdoor Q access?

• Previous message: Jeff Peterson: "Backdoor Q access?"
• In reply to: Jeff Peterson: "Re: Backdoor Q access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Im inclined to think this is some sort of worm.. and its definately doing
its thing on IRC (the ip's that drew the packets are all used almost
exclusively for irc);


Mar  1 21:35:36 asspuma 11: %SEC-6-IPACCESSLOGP: list 101 denied tcp
209.196.44.58(31337) -> 64.149.133.155(515), 1 packet
Mar  6 15:43:36 asspuma 445: %SEC-6-IPACCESSLOGP: list 101 denied tcp
209.196.44.58(31337) -> 64.149.133.58(515), 1 packet
Mar 16 06:54:21 asspuma 1696: %SEC-6-IPACCESSLOGP: list 101 denied tcp
209.112.47.7(31337) -> 64.149.133.33(515), 1 packet
Mar 26 13:54:18 asspuma 3055: %SEC-6-IPACCESSLOGP: list 101 denied tcp
151.200.27.97(31337) -> 64.149.133.209(515), 1 packet
Mar 28 23:22:16 asspuma 3535: %SEC-6-IPACCESSLOGP: list 101 denied tcp
151.200.27.97(31337) -> 64.149.133.127(515), 1 packet
Apr  1 23:32:58 asspuma 79: %SEC-6-IPACCESSLOGP: list 101 denied tcp
202.230.106.50(31337) -> 64.149.133.216(515), 1 packet
Apr 29 17:45:57 asspuma 532: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.7(515), 1 packet
Apr 29 18:14:35 asspuma 533: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.128(515), 1 packet
May  3 00:12:13 asspuma 1934: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.79(515), 1 packet
May  4 02:38:01 asspuma 2187: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.124(515), 1 packet
May  4 05:04:11 asspuma 2316: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.123(515), 1 packet
May  4 10:27:27 asspuma 2369: %SEC-6-IPACCESSLOGP: list 101 denied tcp
255.255.255.255(31337) -> 64.149.133.164(515), 1 packet



> This seems to have something to do with IRC. Almost every time I connect to
> a certain IRC, I get this probe.  Possibly somebody looking for a certain
> trojan?
>
> -----Original Message-----
> From: le [mailto:secat_private]
> Sent: Sunday, April 29, 2001 11:55 PM
> To: INCIDENTSat_private
> Subject: Backdoor Q access?
>
>
> Hello, I am in a Class B network, and a few days ago, I found the following
> log in my snort log.
>
> [**] BACKDOOR Q access [**]
> 04/22-05:54:25.295925 0:0:C:8:D5:6 -> 0:10:11:FF:E0:0 type:0x800 len:0x3C
> 255.255.255.255:31337 -> ***.***.106.102:515 TCP TTL:12 TOS:0x0 ID:0
> IpLen:20
> Dg
> mLen:43
> ***A*R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20


-Jason Storm
 Negation Industries

 "Only two things can stop an orgy; and thats dawn, or a bigger orgy
  across town."

• Next message: Shaun Dewberry: "Re: IIS 5, WIN2K scans?"
• Previous message: Jeff Peterson: "Backdoor Q access?"
• In reply to: Jeff Peterson: "Re: Backdoor Q access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 04 2001 - 15:43:56 PDT