Security Incidents mailing list archives

Re: Scans from Russia

From: Adam Pendleton <adam.pendleton () CORBETT-TECH COM>
Date: Wed, 20 Sep 2000 13:24:03 -0400

It looks like this is a scan that has all of the TCP flags set to 1.

F - FIN
S - SYN
R - RST
P - PSH
A - ACK
U - URG

Obviously, this is not likely to be legitimate traffic, as there is no time
when all the TCP flags are set.  Often time, scanners will set all of the
flags in an attempt to elude IDS and firewall systems that are looking for
say, only SYN packets.

Adam H. Pendleton
Manager
Security Management Center
Corbett Technologies, Inc.
Alexandria, Virginia
USA
http://www.corbett-tech.com

Si hoc legere scis nimium eruditionis habes.



-----Original Message-----
From: Infrastructure Dept. [mailto:infrastructure () NARELLAN NET]
Sent: Wednesday, September 20, 2000 08:57
To: INCIDENTS () SECURITYFOCUS COM
Subject: Scans from Russia


I check my logs more than daily so I usually catch stuff soon after the
occurrence. Here's something I saw this morning. Can someone tell me what
the flags mean or where I can find a list of 'flags'

Sep 20 00:27:21 ns1 scanlogd: From 213.156.132.118 to x.x.x.x ports 1999,
745, 602, 6003, 144, 3333, 32771, 53, 2049, ..., flags fSrpau, TOS 00, TTL
42, started at 00:27:19

And here's the Whois data

inetnum:     213.156.130.0 - 213.156.136.255
netname:     CSSMPSNET
descr:       Central Switching Station of MRT RF
descr:       Russia
country:     RU
admin-c:     KD544-RIPE
tech-c:      KD544-RIPE
status:      ASSIGNED PA
notify:      netadmin () css-mps ru
mnt-by:      TRANSINFORM-MNT
changed:     netadmin () css-mps ru 20000214
changed:     alex () tsi ru 20000223
source:      RIPE

route:       213.156.128.0/19
descr:       Company Transinform
origin:      AS12979
notify:      noc () tsi ru
mnt-by:      TRANSINFORM-MNT
changed:     sergey () tsi ru 20000223
source:      RIPE

person:      Dmitry V Kirosov
address:     2/1 Kalanchovskaya street
address:     Moscow
address:     RU-107174
phone:       +7 095 262-2620
fax-no:      +7 095 262-1531
e-mail:      dvk () css-mps ru
nic-hdl:     KD544-RIPE
changed:     pasha () glasnet ru 19980917
source:      RIPE



Mr. I.
Network Engineer / Ops Manager
Narellan (NorthEast) Inc.

Current thread:

Scans from Russia Infrastructure Dept. (Sep 20)
- Re: Scans from Russia Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: Scans from Russia Adam Pendleton (Sep 21)