Security Incidents mailing list archives
Strange DNS/TCP activity
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Wed, 26 Jan 2000 22:10:56 +0100
Our nameservers have been a subject of suspicious probes (?) aimed at TCP port 53 recently. Here is a genuine tcpdump transcript of one of the probes (line-wrapped for better readability): 19:50:23.087805 209.67.42.160.2900 > our.nameserver.domain: S 1514380992:1514381056(64) win 2048 (ttl 239, id 24887) (payload of 64 zeros) 19:50:23.087805 209.67.42.160.2901 > our.nameserver.domain: S 1535086518:1535086582(64) win 2048 (ttl 239, id 34386) (payload of 64 zeros) 19:50:23.087805 209.67.42.160.2902 > our.nameserver.domain: S 338360493:338360557(64) win 2048 (ttl 239, id 18215) (payload of 64 zeros) [ 209.67.42.160 opens three connections, sending 64 zero bytes in the SYN datagram?! ] 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2900: S 4257621082:4257621082(0) ack 1514380993 win 32736 <mss 536> (ttl 63, id 15013) 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2901: S 386430030:386430030(0) ack 1535086519 win 32736 <mss 536> (ttl 63, id 15014) 19:50:23.087805 our.nameserver.domain > 209.67.42.160.2902: S 3536506566:3536506566(0) ack 338360494 win 32736 <mss 536> (ttl 63, id 15015) [ the nameserver accepts these connections ] 19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain: R 1514380993:1514380993(0) win 0 (ttl 48, id 1612) 19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain: R 1535086519:1535086519(0) win 0 (ttl 48, id 1614) 19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain: R 338360494:338360494(0) win 0 (ttl 48, id 1616) [ 209.67.42.160 resets all connections ] 19:50:23.327805 209.67.42.160.2900 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 29835) 19:50:23.327805 209.67.42.160.2901 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 40424) 19:50:23.327805 209.67.42.160.2902 > our.nameserver.domain: R 1:1(0) ack 1 win 2048 (ttl 239, id 4625) [ ...and it resets them again?! ] The clients IP address is changing. Today, I caught 200.211.187.195, 209.67.42.183, 209.67.42.150, 209.67.42.160, and 200.211.187.194. As far as I can tell, port numbers are always "round" numbers: 100x+0, 100x+1, and 100x+2. ISNs look random. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: BOGUS.IvCD File, (continued)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)