Subject: Can someone take a look at this strange IP traffic?
To: None <port-i386@netbsd.org>
From: Dave Burgess <burgess@cynjut.neonramp.com>
List: port-i386
Date: 04/14/1999 17:53:55
I've had a bunch of computers infect with a remote control Trojan Horse, and I'd
be interested if anyone recognizes this traffic (I think it's BO, but I can't
tell). The reason it looks suspicious to me is because of the SYN packets going
to a dial-up user.... If I understand correctly, the RST means that the SYN was
refused, right?
23:19:30.764872 209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571 >
tc1s15.neonramp.com.12345: S 109595560:109595560(0) win 8192 <mss 1460> (DF)
23:19:30.996509 tc1s15.neonramp.com.12345 >
209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571: R 0:0(0) ack 109595561 win
0
23:19:31.564492 209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571 >
tc1s15.neonramp.com.12345: S 109595560:109595560(0) win 8192 <mss 1460> (DF)
23:19:31.759548 tc1s15.neonramp.com.12345 >
209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571: R 0:0(0) ack 1 win 0
23:19:32.385084 209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571 >
tc1s15.neonramp.com.12345: S 109595560:109595560(0) win 8192 <mss 1460> (DF)
23:19:32.607111 tc1s15.neonramp.com.12345 >
209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571: R 0:0(0) ack 1 win 0
23:19:33.209172 209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571 >
tc1s15.neonramp.com.12345: S 109595560:109595560(0) win 8192 <mss 1460> (DF)
23:19:33.392701 tc1s15.neonramp.com.12345 >
209-122-254-190.s190.tnt1.lnh.md.dialup.rcn.com.3571: R 0:0(0) ack 1 win 0