Repost of query about 55808 trojan

From: Golden Faron P Contr HQ SSG/SWSN (Faron.Golden_at_Gunter.AF.mil)
Date: 07/11/03

  • Next message: LiNERROR: "possible compromised host"
    Date: Fri, 11 Jul 2003 08:51:23 -0500
    To: <incidents@securityfocus.com>
    
    

    Original post request:
            Sent: Wednesday, July 09, 2003 3:39 PM
    To: incidents@securityfocus.com
    Subject: Code for 55808 Trojan

    Anyone have an actual copy of the "55808 trojan"?

    The reasons I ask are : From what I read at LURHQ and Intrusec as well
    as information from Lancope, there may have been (were?) at least two
    different pieces of code associated with the 55808 Odd Syn Packets.
    These packets are continuing and we have observed a slight, irregular
    increase in volume (about a month ago we were seeing 500-600 packets in
    a 10 minute period, three weeks ago 800-900 packets in a ten minute
    window, and currently 1000-1100 packets in a ten minute window). We are
    also now observing an increasing number of RST packets directed at our
    network space which shows that some of our network space is now being
    spoofed in packets directed at worldwide targets/victims. This data
    seems to suggest that the activity is not going away but is increasing
    and persistent.

    I am not asking to receive the code as I really do not have time to
    dedicate to analysis and that has obviously already been done by
    competent parties. What I am asking is if anyone has captured some
    source for one or both of these critters and are we developing any
    effective countermeasures?

    Thanks in advance,
    Faron

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: LiNERROR: "possible compromised host"

    Relevant Pages

    • RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)
      ... Tarpit in hopes of sticking one of these connections and have had no luck so ... all the focus is being set just on that window size. ... These packets are now widely known (and have been ... world's premier technical IT security event! ...
      (Incidents)
    • Re: TSO and FreeBSD vs Linux
      ... 4990261 data packets ... 2596 window update packets ... 1965 connections established ... 4792 segment rexmits in SACK recovery episodes ...
      (freebsd-net)
    • Re: Unable to set socket size > 16MB
      ... You should be able to set a higher minmss for a temporary ... This setting prevents us from sending too small packets. ... my window went to 64M. ... Energy Sciences Network (ESnet) ...
      (freebsd-net)
    • Re: Problem with a 5.2.1 system and downloading
      ... > I got in my office two machines. ... packet, and your server bumps the ack point up to the last byte it ... buffer yet, though, so the window slams shut. ... server isn't sending any more packets for some reason, ...
      (freebsd-hackers)
    • Re: TSO and FreeBSD vs Linux
      ... 4800252 data packets ... 2596 window update packets ... 1933 connections established ... 3576 segment rexmits in SACK recovery episodes ...
      (freebsd-net)