Repost of query about 55808 trojan

From: Golden Faron P Contr HQ SSG/SWSN (
Date: 07/11/03

  • Next message: LiNERROR: "possible compromised host"
    Date: Fri, 11 Jul 2003 08:51:23 -0500
    To: <>

    Original post request:
            Sent: Wednesday, July 09, 2003 3:39 PM
    Subject: Code for 55808 Trojan

    Anyone have an actual copy of the "55808 trojan"?

    The reasons I ask are : From what I read at LURHQ and Intrusec as well
    as information from Lancope, there may have been (were?) at least two
    different pieces of code associated with the 55808 Odd Syn Packets.
    These packets are continuing and we have observed a slight, irregular
    increase in volume (about a month ago we were seeing 500-600 packets in
    a 10 minute period, three weeks ago 800-900 packets in a ten minute
    window, and currently 1000-1100 packets in a ten minute window). We are
    also now observing an increasing number of RST packets directed at our
    network space which shows that some of our network space is now being
    spoofed in packets directed at worldwide targets/victims. This data
    seems to suggest that the activity is not going away but is increasing
    and persistent.

    I am not asking to receive the code as I really do not have time to
    dedicate to analysis and that has obviously already been done by
    competent parties. What I am asking is if anyone has captured some
    source for one or both of these critters and are we developing any
    effective countermeasures?

    Thanks in advance,

    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out.

  • Next message: LiNERROR: "possible compromised host"