Security Incidents mailing list archives

Possible stacheldraht variant/probe

From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Wed, 9 Feb 2000 16:45:09 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Earlier today I observed some traffic which appears to be obviously
related to stacheldraht (as described by Dave Dittrich), but
which has several additional features which I haven't seen mentioned
elsewhere.

The traffic consists of three type of packets, presented here in order
of receipt:

        -An ICMP_ECHO_REPLY containing the ASCII string `gesundheit!'
        -An ICMP_ECHO_REPLY with an IP ID one greater than
         the `gesundheit!' packet and lacking the the `gesundheit'
         string (the packet is 12 bytes shorter)
        -An UDP packet with an IP ID one greater than the second ICMP
         packet and an 11 byte long data segment

This pattern is repeated many times.  The source address remains constant.
The destination addresses cover a 24-bit network.  Interestingly,
the scanner appears to treat 24-bit networks as if they consist of
two 25-bit networks:  The first three packets are directed at x.y.z.127;
the scanner then walks through the first half of the class C, only
hitting hosts that actually exist[0]; it then hits every address between
x.y.z.127 (including .127 itself, again) and x.y.z.255, in sequence.

The scanner is not coy:  the entire exercise lasts less than ten seconds.

This does not appear to be a vanilla stacheldraht scan as reported
by Mr Dittrich, nor does it appear to be one of the tools designed
to look for stacheldraht installs (e.g., gag).

Is this a known (to everyone but me) variant of stacheldraht, or is
this new behaviour?

- -Steve

- -----
0     This is of course an interesting fact.  Also interesting is that
      it doesn't send to any unused IP addresses, but it does miss
      a couple IPs which are in use.
      The target selection doesn't appear to be DNS-related:  all of
      the addresses in the class C resolve---most to boring hostnames
      in the form a-b-c-d.foo.bar.  Some of the addresses hit have
      more interesting names (www.foo.bar), but not all of the addresses
      hit have `interesting' names, and not all of the `interesting'
      names were hit.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4ogoOG3kIaxeRZl8RAmQoAJ9JFhxwr65uCfOnfAjt1tP6dHk3IQCg4cLz
b9n2bNRPUxo+q8GhK28dnlg=
=l4W/
-----END PGP SIGNATURE-----

Current thread:

Re: UDP to 161, (continued)
- - - Re: UDP to 161 Ryan Russell (Feb 15)
    - Re: UDP to 161 CyberPsychotic (Feb 16)
    - Re: UDP to 161 Russell Fulton (Feb 15)
    - Re: Private networks and home.{net|com} Andy Smith (Feb 09)
    - massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
    - Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
    - [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
    - Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
    - a very strange scan Boris Badenov (Feb 09)
    - Re: a very strange scan Russell Fulton (Feb 10)
    - Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
    - Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
    - Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
    - Re: Strange traceroute Rob Quinn (Feb 08)
    - vi as a suid Paulo Ribeiro (Feb 08)
  - Re: Strange traceroute Troy Ablan (Feb 05)
    - Re: Strange traceroute Hauke Johannknecht (Feb 08)
  - sendmail vunerability ? E Kelly Bond (Feb 05)
    - Re: sendmail vunerability ? CyberPsychotic (Feb 07)
    - Re: sendmail vunerability ? H D Moore (Feb 10)