Snort mailing list archives
Re: WIN2K IRC Trojan
From: "F.M. Taylor" <root () uranium indstate edu>
Date: Fri, 6 Sep 2002 15:51:57 -0500 (EST)
This is what I am currently using to catch them with, but is not as accurate as I would like. alert tcp $HOME_NET any -> $EXTERNAL_NET 6667:7000 (msg:"INFO Possible IRC XDCC"; flags: A+; content: "Total Offered"; classtype:bad-unknown; sid:9542; rev:2;) On Fri, 6 Sep 2002, Mike Shaw wrote:
What are the details on the trojan? I may have a copy on the way. -Mike At 03:53 PM 9/6/2002 -0400, Ian Macdonald wrote:If anyone has any details on how this works please send them to the snort-sigs mailing list so we can write some sigs. Ian ----- Original Message ----- From: "F.M. Taylor" <root () uranium indstate edu> To: <snort-users () lists sourceforge net> Sent: Friday, September 06, 2002 3:11 PM Subject: [Snort-users] WIN2K IRC TrojanDudez, wtf is up with this trojan/hack/bot/win2k exploit that seems to be speading itself fairly rapidly. Is there a sig for this yet? Does anyone even know how this thing is being spread?? -- Mike Taylor Coordinator of Systems Administration and Network Security Indiana State University. Rankin Hall Rm 053 210 N 7th St. Terre Haute, IN. SANS GSEC http://www.sans.org/ ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Mike Taylor Coordinator of Systems Administration and Network Security Indiana State University. Rankin Hall Rm 053 210 N 7th St. Terre Haute, IN. SANS GSEC http://www.sans.org/ ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WIN2K IRC Trojan F.M. Taylor (Sep 06)
- Re: WIN2K IRC Trojan Ian Macdonald (Sep 06)
- Re: WIN2K IRC Trojan Mike Shaw (Sep 06)
- Re: WIN2K IRC Trojan F.M. Taylor (Sep 06)
- Message not available
- Re: WIN2K IRC Trojan Mike Shaw (Sep 06)
- Re: WIN2K IRC Trojan Mike Shaw (Sep 06)
- Re: WIN2K IRC Trojan Ian Macdonald (Sep 06)
- Re: WIN2K IRC Trojan Gary Flynn (Sep 06)
- <Possible follow-ups>
- RE: WIN2K IRC Trojan Matt Yackley (Sep 06)
- RE: WIN2K IRC Trojan F.M. Taylor (Sep 06)
- Re: WIN2K IRC Trojan Michael Scheidell (Sep 06)
- RE: WIN2K IRC Trojan F.M. Taylor (Sep 06)