Firewall Wizards mailing list archives
sinister packets ???
From: "Irwin R. Naumann" <irwin () Thinkage on ca>
Date: Mon, 29 Nov 1999 13:39:02 -0500 (EST)
I noticed anomalies in traffic destined for our web site. I've
culled the traffic directed to/from port 80 and this is what
remains.
The destination port to our web host is either < 1023
or >18000. The packets with multiple flags set contain
what appears to be ASCII data. I have interpreted the ASCII data
but it appears innocuous. Are these packets more sinister than
they appear?
The following is tcpdump output with ascii interpretation.
Thanks,
Irwin
99_11_25__16_48_50.gz
16:51:42.519321 194.222.69.5.3540 > 209.47.237.52.457: P ack 3433157986 win 8736 (DF)
16:51:49.213944 194.222.69.5.30974 > 209.47.237.52.28: SRP 2029912092:2029912092(0) ack 2029912092 win 28 urg 28
<opt-120:001c78fe001c4141454d2b7179530d0a434c4b784361434d66765954426961754b435962466a4e360000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de4505000600000000006000060000
c P P @ P - P P
P ` | - P P P ` P P P P - P P ` P - P P `
`
0000000000002010000c7d1831363a35313a33382e353632383331203139342e3232322e36392e352e32313533203e203230392e34372e323337>
(DF)
} 1 6 : 5 1 : 3 8 . 5 6 2 8 3 1 1 9 4 . 2 2 2 . 6 9 . 5 . 2 1 5 3 > 2 0 9 . 4 7 . 2 3 7> (
)
16:51:49.958261 194.222.69.5.30969 > 209.47.237.52.49180: FP 2029633564:2029633564(0) ack 2029633564 win 49180 urg
49180
<opt-120:c01c78f9c01c4479724a4136686c756546594b495835514c42770d0a6170534d4677674d687a42470000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de45050006000000000060
# # " c P P @ P - P P
P ` | - P P P ` P P P P - P P ` P - P
P `
000600000000000000002010000c7d1831363a35313a33382e353632383331203139342e3232322e36392e352e32313533203e203230392e34> (DF)
} 1 6 : 5 1 : 3 8 . 5 6 2 8 3 1 1 9 4 . 2 2 2 . 6 9 . 5 . 2 1 5 3 > 2 0 9 . 4> ( )
16:51:50.707109 194.222.69.5.0 > 209.47.237.52.0: . 0:20(20) win 0 (DF)
16:53:48.126202 194.222.69.5.30971 > 209.47.237.52.32796: SFP 2029748252:2029748252(0) ack 2029748252 win 32796 urg
32796
<opt-120:801c78fb801c4844517953394569715457435443543467794e505a6d6732647341414141454d57310000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de4505000600000000006
. 2 2 2 . 6 9 . 5 x ( E
E 5 E & E
0000600000000000000002010000c7d1830303031633030313530323030633264653435303530303230303030303030303030303236303031353030>
(DF)
` 3 S # 3 & F S C S S # # c S >
( )
16:53:52.039725 194.222.69.5.30972 > 209.47.237.52.32804: RP 2029813796:2029813801(5) ack 2029813796 win 32804 urg
32804
<opt-120:802478fc802478fc80247831574b59557741414145480d0a6b3141486f457a4545416867687a58410000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de45050006000000000060
# # " c P P @ P - P P
P ` | - P P P ` P P P P - P P ` P - P
P `
000600000000000000002010000c7d183030303163303031353032303063326465343530353030323030303030303030303030323630303135303030>
(DF)
} 0 0 0 1 c 0 0 1 5 0 2 0 0 c 2 d e 4 5 0 5 0 0 2 0 0 0 0 0 0 0 0 0 0 0 2 6 0 0 1 5 0 0
0> ( )
16:54:38.460385 194.222.69.5.21581 > 209.47.237.52.19518: FRP 1414351934:1414351934(0) win 19518 (DF)
16:55:05.607559 194.222.69.5.2371 > 209.47.237.52.18442: SF 155404298:155404318(20) win 18442 (DF)
17:06:48.003835 194.222.69.5.30967 > 209.47.237.52.49440: SFR 2029502752:2029503010(258) ack 2029502752 win 49440 urg
49440
<opt-120:c12078f7c12078f7c12078f7c12078f7c12078f7c12078f7c12078f7c12078f7c12078f7c12078f70000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de45050006000000000
4 . 2 2 2 . 6 9 . 5 x ( E
E 5 E &
E
060000600000000000000002010000c7d1835363a31362e353432373537203139342e3232322e36392e352e32313632203e203230392e3437> (DF)
` S c b S C # s S r B # # " c R # c " # C> ( })
17:07:57.365205 194.222.69.5.30973 > 209.47.237.52.49192: FRP 2029895720:2029895730(10) ack 2029895720 win 49192 urg
49192
<opt-120:c02878fdc02878fdc02878fdc02878fdd4464e5c36ce3163d5f8b501136164f8fd8fbb940a7ccb280000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de450500060000000000
B # # " c P P @ P - P P
P ` | - P P P ` P P P P - P P ` P -
P P `
60000600000000000000002010000c7d1835322e333530353433203230392e34372e3233372e35322e3830203e203139342e3232322e36392e352e323136>
(DF)
` } 5 2 . 3 5 0 5 4 3 2 0 9 . 4 7 . 2 3 7 . 5 2 . 8 0 > 1 9 4 . 2 2 2 . 6 9 . 5 .
2 1 6> ( )
99_11_26__16_16_27.gz
17:34:11.456251 194.222.69.5.30971 > 209.47.237.52.32796: SFP 2029748252:2029748252(0) ack 2029748252 win 32796 urg
32796
<opt-120:801c78fb801c14001489800000669e0bf122a3eb40ff1f9c6f952f66b507f8fd1a6abc0cf1a2ac3d0000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de4505000600000000006
. 2 2 2 . 6 9 . 5 x ( E
E 5 E & E
0000600000000000000002010000c7d1831373a33343a31312e343536323531203139342e3232322e36392e352e3330393731203e203230392e3437>
(DF)
` s 3 C C S c # S B # # " c R 3 s # C>
( })
17:35:05.502703 194.222.69.5.30970 > 209.47.237.52.49180: SP 2029699100:2029699100(0) ack 2029699100 win 49180 urg
49180
<opt-120:c01c78fac01c1100155c7000008eeb6fae6a1df95598a13cc5a81e593d8a47b7549af12dd559e5670000000000000000002000000000686f7374203139342e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e00150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de45050006000000000060
# # " c P P @ P - P P
P ` | - P P P ` P P P P - P P ` P - P
P `
000600000000000000002010000c7d1831373a33343a31312e343536323531203139342e3232322e36392e352e3330393731203e203230392e34>
(DF)
} 1 7 : 3 4 : 1 1 . 4 5 6 2 5 1 1 9 4 . 2 2 2 . 6 9 . 5 . 3 0 9 7 1 > 2 0 9 . 4> (
)
Current thread:
- sinister packets ??? Irwin R. Naumann (Nov 29)
- <Possible follow-ups>
- Re: sinister packets ??? Ryan Russell (Nov 30)