RE: Typot BACKDOOR

["David" <dwad24 () excite com>]

Hey Jussx,



Probably just a false positive.  This rule is triggered when a syn packet with window size 55808 is detected.  This 
traffic can occur naturally from time to time.  Have you looked at the payload to see if it looks like normal emule 
traffic?



Dave









 --- On Fri 05/28, _JusSx_ < jussx0 () yahoo it > wrote:

From: _JusSx_ [mailto: jussx0 () yahoo it]

To: snort-users () lists sourceforge net

Date: Fri, 28 May 2004 21:25:09 +0200

Subject: [Snort-users] Typot  BACKDOOR



Hi,<br>I  got some odd logs from snort. I got log such as <br><br>May 28 21:19:29<br>localhost snort: [1:2182:3] 
BACKDOOR typot trojan traffic<br>[Classification: A Network Trojan was detected] [Priority: 1]: 
{TCP}<br>62.61.133.250:3135 -> 192.168.0.2:4662<br><br>Port 4662 is used by mldonkey and edonkey users are allowed to 
connect<br>to because my router and my firewall are set so.<br>Well what does it mean? is my box infected by typot 
backdoor? or are<br>infected computers scanning my box?<br><br>Thanx in advance<br><br><br>-- <br>Attachment: 
Attachment  (0.19KB)<br>

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users