Security Incidents mailing list archives
Possible stacheldraht variant/probe
From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Wed, 9 Feb 2000 16:45:09 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier today I observed some traffic which appears to be obviously related to stacheldraht (as described by Dave Dittrich), but which has several additional features which I haven't seen mentioned elsewhere. The traffic consists of three type of packets, presented here in order of receipt: -An ICMP_ECHO_REPLY containing the ASCII string `gesundheit!' -An ICMP_ECHO_REPLY with an IP ID one greater than the `gesundheit!' packet and lacking the the `gesundheit' string (the packet is 12 bytes shorter) -An UDP packet with an IP ID one greater than the second ICMP packet and an 11 byte long data segment This pattern is repeated many times. The source address remains constant. The destination addresses cover a 24-bit network. Interestingly, the scanner appears to treat 24-bit networks as if they consist of two 25-bit networks: The first three packets are directed at x.y.z.127; the scanner then walks through the first half of the class C, only hitting hosts that actually exist[0]; it then hits every address between x.y.z.127 (including .127 itself, again) and x.y.z.255, in sequence. The scanner is not coy: the entire exercise lasts less than ten seconds. This does not appear to be a vanilla stacheldraht scan as reported by Mr Dittrich, nor does it appear to be one of the tools designed to look for stacheldraht installs (e.g., gag). Is this a known (to everyone but me) variant of stacheldraht, or is this new behaviour? - -Steve - ----- 0 This is of course an interesting fact. Also interesting is that it doesn't send to any unused IP addresses, but it does miss a couple IPs which are in use. The target selection doesn't appear to be DNS-related: all of the addresses in the class C resolve---most to boring hostnames in the form a-b-c-d.foo.bar. Some of the addresses hit have more interesting names (www.foo.bar), but not all of the addresses hit have `interesting' names, and not all of the `interesting' names were hit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ogoOG3kIaxeRZl8RAmQoAJ9JFhxwr65uCfOnfAjt1tP6dHk3IQCg4cLz b9n2bNRPUxo+q8GhK28dnlg= =l4W/ -----END PGP SIGNATURE-----
Current thread:
- Re: UDP to 161, (continued)
- Re: UDP to 161 Ryan Russell (Feb 15)
- Re: UDP to 161 CyberPsychotic (Feb 16)
- Re: UDP to 161 Russell Fulton (Feb 15)
- Re: Private networks and home.{net|com} Andy Smith (Feb 09)
- massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
- [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
- Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
- a very strange scan Boris Badenov (Feb 09)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
- Re: Strange traceroute Rob Quinn (Feb 08)
- vi as a suid Paulo Ribeiro (Feb 08)
- Re: Strange traceroute Hauke Johannknecht (Feb 08)
- Re: sendmail vunerability ? CyberPsychotic (Feb 07)
- Re: sendmail vunerability ? H D Moore (Feb 10)