Incident: 03-02-01 tcp:1080

tcp:1080 socks

See: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.svcs

socks           1080/tcp       
socks           1080/udp       
SubSeven2.2     1080/tcp        #[trojan] SubSeven 2.2
WinHole         1080/tcp        #[trojan] WinHole
WinHole         1080/tcp        #[trojan] WinHole

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
syslog/logcheck:

Mar  2 12:25:55 greatwall snort: [1:0:0] TCP to 1080 socks {TCP}
 4.40.25.17:4688 -> 12.82.142.113:1080
Mar  2 12:25:58 greatwall snort: [1:0:0] TCP to 1080 socks {TCP}
 4.40.25.17:4688 -> 12.82.142.113:1080


ipchains:

Mar  2 12:25:55 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 4.40.25.17:4688 12.82.142.113:1080
 L=48 S=0x00 I=5049 F=0x4000 T=115 SYN (#64)
Mar  2 12:25:58 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 4.40.25.17:4688 12.82.142.113:1080
 L=48 S=0x00 I=5330 F=0x4000 T=115 SYN (#64)


p0f:

Sat Mar  2 12:25:55 2002 4.40.25.17 [14 hops]: Windows 2000 (9)
 + 4.40.25.17:4688 -> 12.82.142.113:1080
Sat Mar  2 12:25:58 2002 4.40.25.17 [14 hops]: Windows 2000 (9)
 + 4.40.25.17:4688 -> 12.82.142.113:1080


full snort packet capture:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-12:25:55.390627 4.40.25.17:4688 -> 12.82.142.113:1080
TCP TTL:115 TOS:0x0 ID:5049 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD0447D21  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/02-12:25:58.510958 4.40.25.17:4688 -> 12.82.142.113:1080
TCP TTL:115 TOS:0x0 ID:5330 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD0447D21  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Request: 4.40.25.17
connecting to whois.arin.net [192.149.252.34:43] ...

GENUITY (NET-GNTY-4-0)
   3 Van de Graaff Dr.
   Burlington, MA 01803
   US    

Netname: GNTY-4-0
   Netblock: 4.0.0.0 - 4.255.255.255
   Maintainer: GNTY    

Coordinator:
      Soulia, Cindy  (CS15-ARIN)  csoulia@genuity.net
      800-632-7638    

Domain System inverse mapping provided by: 
   NIC.NEAR.NET192.52.71.4
   VIENNA1-DNS-AUTH1.BBNPLANET.COM 4.1.16.4
   NIC3.BARRNET.NET131.119.245.6



host:

[toot@sparky /storage/snort/old_snorts/030202]# host 4.40.25.17
17.25.40.4.in-addr.arpa. domain name pointer lsanca1-ar6-025-017.lsanca1.dsl.gtei.net.


http to 4.40.25.17:

"Could not connect to remote server"