Security Incidents mailing list archives
Port Scanning (perhaps related to "A very strange port scan")
From: warren () BELFER ORG (Warren Belfer)
Date: Tue, 15 Feb 2000 18:28:26 -0800
Hi, A friend of mine gave me some logs he has collected, to see if I could shed any light on them - as it turns out, it seems that I need the help of this group. For some time now, his site been receiving a bunch of really odd packets. They come in groups of about 10, over the course of a few minutes. A few minutes later another similar group of about 10 packets shows up with a different IP source address but the same group of source ports. The destination ports seem almost random most of the time (although the sample below is less random than most) The port list provided by Russel Fulton in the thread "A very strange port scan" bears a remarkable resemblance more typical of what this guy is seeing. The flags are most interesting, as many of the combinations don't seem to be legal; looks a lot like a FIN scan, but I cannot imagine why this is going on for weeks. The packets are all being silently dropped on the floor by the firewall, so the sender shouldn't be getting any feedback that would encourage them to continue. Over the last weekend, this was repeated with over three hundred different host IP addresses, almost half of them from the same domain. On the other hand, I'm guessing the addresses are probably spoofed. (or lots and lots of comprimised systems are probing this guy's site) Most of the packets are empty, but many have option 120 (unknown) set and lots of data, even though the length shows as short - Excerpt below Anybody got any ideas? Warren Packets from firewall log (ipfilter) Feb 15 07:51:06 server1.evil.com,30975 -> fw.target.com,49180 PR tcp len 20 48 -ARSFUP Feb 15 07:51:12 server1.evil.com,29545 -> fw.target.com,29797 PR tcp len 20 430 -FUP Feb 15 07:52:17 server1.evil.com,30973 -> fw.target.com,49180 PR tcp len 20 48 -ARFUP Feb 15 07:52:18 server1.evil.com,30975 -> fw.target.com,49172 PR tcp len 20 40 -ARSFUP Feb 15 07:52:20 server1.evil.com,30969 -> fw.target.com,32800 PR tcp len 20 52 -AFUP Feb 15 07:52:22 server1.evil.com,30973 -> fw.target.com,49172 PR tcp len 20 40 -ARFUP Feb 15 07:52:50 server1.evil.com,30974 -> fw.target.com,49172 PR tcp len 20 40 -ARSUP Feb 15 07:53:00 server1.evil.com,30972 -> fw.target.com,49172 PR tcp len 20 40 -ARUP Feb 15 07:53:04 server1.evil.com,30972 -> fw.target.com,32788 PR tcp len 20 40 -ARUP Feb 15 07:53:11 server1.evil.com,30973 -> fw.target.com,49172 PR tcp len 20 40 -ARFUP Feb 15 07:53:20 server1.evil.com,30969 -> fw.target.com,32788 PR tcp len 20 40 -AFUP Feb 15 07:54:13 server1.evil.com,30973 -> fw.target.com,49180 PR tcp len 20 48 -ARFUP Feb 15 07:54:17 server1.evil.com,30969 -> fw.target.com,32788 PR tcp len 20 470 -AFUP Body of the packet includes (everything after the header): TCP: - Option 120 (unknown - 250 bytes) 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC801478FC 801478FC801478FC801478FC801478FC801478FC801478FC8014
Current thread:
- ports ports and more ports Tyler (Feb 11)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
- Re: succesful crack Gene Harris (Feb 16)
- Re: succesful crack **read nine (Feb 17)
- Re: succesful crack R. Gupta (Feb 17)
- Re: succesful crack Gene Harris (Feb 16)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
- Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
- Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
- Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 17)
- Re: MASSIVE ssh attack attempt Filip M. Gieszczykiewicz (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Graham (Feb 18)
- Undernet/telnet attempts? SecOrg (Feb 18)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
(Thread continues...)