More info: I have captures from some non-primary probing addresses now. The non-primary addresses have not been repeating at all. When addresses probes my target port 8247, they all use the same sequence number 2773619225, window size 55808, and WS: 2. Source ports vary and have even included port 0. ID varies by probing address (but is still usually 14921 on mine), as does MSS (1400 or 1416 or 1436, etc). More speculation: So if this is a botnet, the TCP seq might identify a subset of the network itself, or it could be related to the target. Dest port might be the triggering factor for the listening trojan, and source port and source address might be the command being issued. Window 55808 and WS: 2 appear to be universal since everyone has reported the same. MSS 1460 appears to be universal for primary probing addresses. Has anyone found the any of the sequence numbers posted to the list on any other network? ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 12:44:23 PDT