is my linux box trojaned by Trinity ?

From: Lone Droid (lonedroid@yahoo.fr)
Date: 05/29/02 

From: lonedroid@yahoo.fr (Lone Droid)
Date: 29 May 2002 13:13:29 -0700

hi all,

I just set up a new linux client on my local network
with some firewalling rules (using iptables)...

After two days, i've seen two different IP being blocked
because they tried to access port 33270 (some Linux DoS Tool
called Trinity ?). Here's what my iptable rule logged :

IPT blocked TROJANED:IN=eth0 OUT=
MAC=00:50:ba:da:e0:b4:00:08:c7:a9:06:f9:08:00 SRC=217.147.232.18
DST=192.168.0.12 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=30835 DF
PROTO=TCP SPT=80 DPT=33270 WINDOW=16384 RES=0x00 ACK SYN URGP=0
IPT blocked TROJANED:IN=eth0 OUT=
MAC=00:50:ba:da:e0:b4:00:08:c7:a9:06:f9:08:00 SRC=217.147.232.18
DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=30836 DF
PROTO=TCP SPT=80 DPT=33270 WINDOW=16384 RES=0x00 ACK URGP=0
IPT blocked TROJANED:IN=eth0 OUT=
MAC=00:50:ba:da:e0:b4:00:08:c7:a9:06:f9:08:00 SRC=217.147.232.18
DST=192.168.0.12 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=30837 DF
PROTO=TCP SPT=80 DPT=33270 WINDOW=16384 RES=0x00 ACK SYN URGP=0
IPT blocked TROJANED:IN=eth0 OUT=
MAC=00:50:ba:da:e0:b4:00:08:c7:a9:06:f9:08:00 SRC=217.147.232.18
DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=30838 DF
PROTO=TCP SPT=80 DPT=33270 WINDOW=16384 RES=0x00 ACK URGP=0

and the other IP was SRC=64.38.247.60

My question is : is it "normal" that Trinity (the bad guy) sends me
"ACK SYN" and "ACK" packet (and not a single "SYN" packet) ? (By
"normal"
I mean that those two hosts are infected, but not me)

Or are those packed an answer to an SYN request coming from my
computer ?
(sadly, I had my "worm blockin rules" set up only on the INPUT chain,
so
I can't tell... but now i'll change them).

Those packets came while i was surfing.

My guess is that while I am surfing with my linux client some
compromised
host sees that I have a linux client and tries to see if Trinity is
installed on my comp, but the fact that i receive no "SYN" packet
is making me nervous (I wonder if Trinity could be on my comp ?)

Any explanation is welcome,

 lonedroid

Relevant Pages

  • is my linux box trojaned by Trinity ?
    ... Those packets came while i was surfing. ... My guess is that while I am surfing with my linux client some ... host sees that I have a linux client and tries to see if Trinity is ... installed on my comp, but the fact that i receive no "SYN" packet ...
    (comp.os.linux.security)
  • Re: is my linux box trojaned by Trinity ?
    ... > My guess is that while I am surfing with my linux client some ... > host sees that I have a linux client and tries to see if Trinity is ... > installed on my comp, but the fact that i receive no "SYN" packet ... original SYN request and parody an ACK. ...
    (comp.os.linux.security)
  • Re: is my linux box trojaned by Trinity ?
    ... > My guess is that while I am surfing with my linux client some ... > host sees that I have a linux client and tries to see if Trinity is ... > installed on my comp, but the fact that i receive no "SYN" packet ... original SYN request and parody an ACK. ...
    (comp.os.linux.security)
  • Re: is my linux box trojaned by Trinity ?
    ... > with some firewalling rules... ... > My guess is that while I am surfing with my linux client some ... > host sees that I have a linux client and tries to see if Trinity is ... especially when I traceroute some host - I don't ...
    (comp.os.linux.security)