Re: [Snort-sigs] new Q signature

From: Jon (
Date: 02/28/03

  • Next message: Ivan Hernandez: "Re: ids detect malicious encrypted data?"
    Date: Thu, 27 Feb 2003 23:08:01 -0500
    From: Jon <>

    Its been nearly a month now, and I'm only slightly closer to getting to the
    bottom of this.

    As previously mentioned, I've been using the following rule to track any
    machines that spew packets containg 'cko', which is associated with the Q

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
    traffic"; content:"cko"; depth:3; dsize:3;)

    I've compiled some information about this traffic in the hopes that it
    helps someone. Since my first email (beginning of Februrary), I've caught
    2042 packets coming into my network that tripped this signature.

    Common characteristics for all of these packets include:

    * all tcp
    * low ttl
    * ACK and PSH flags set
    * sequence # set
    * payload is "cko"

    In terms of most popular ports:

    Qty | Dst Port
    1184 80 (http)
    59 25 (smtp)
    11 993 (imaps)
    5 22 (ssh)

    Qty | Src Port
    629 80 (http)
    96 25 (smtp)
    33 443 (https)
    11 457 (scohelp via NCSA)

    In terms of most talkative hosts:

    Qty | IP | Comment(s)
    251 All from port 80 on an Apache webserver
    183 All from port 80 on an IIS (5.1) webserver
    88 All to port 80 on an Apache webserver
    84 All from port 80 on an IIS (5.0) webserver
    80 All to/from port 25 on a WorldMail mailserver

    Traffic leading up to the final 'cko' packets always seems very routine --
    your average web browse, mail traffic, etc. All source hosts that were not
    the server in the connection seem to be random dialup/dsl machines from
    around the globe.

    Any feedback or information about these (or other similar) "attacks" would
    be much appreciated, either publicly on this list or privately via email.

    Fyi and thanks,


    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href=""> </A>

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    • Re: What is going on with my Dialup?
      ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    • Re: OT .. Road Warrior communications question
      ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    • Re: Logs: Many hits with source port of 80
      ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    • Re: Error 720 connecting to server via VPN
      ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...