Security Incidents mailing list archives
Re: Scans from Russia
From: Adam Pendleton <adam.pendleton () CORBETT-TECH COM>
Date: Wed, 20 Sep 2000 13:24:03 -0400
It looks like this is a scan that has all of the TCP flags set to 1. F - FIN S - SYN R - RST P - PSH A - ACK U - URG Obviously, this is not likely to be legitimate traffic, as there is no time when all the TCP flags are set. Often time, scanners will set all of the flags in an attempt to elude IDS and firewall systems that are looking for say, only SYN packets. Adam H. Pendleton Manager Security Management Center Corbett Technologies, Inc. Alexandria, Virginia USA http://www.corbett-tech.com Si hoc legere scis nimium eruditionis habes. -----Original Message----- From: Infrastructure Dept. [mailto:infrastructure () NARELLAN NET] Sent: Wednesday, September 20, 2000 08:57 To: INCIDENTS () SECURITYFOCUS COM Subject: Scans from Russia I check my logs more than daily so I usually catch stuff soon after the occurrence. Here's something I saw this morning. Can someone tell me what the flags mean or where I can find a list of 'flags' Sep 20 00:27:21 ns1 scanlogd: From 213.156.132.118 to x.x.x.x ports 1999, 745, 602, 6003, 144, 3333, 32771, 53, 2049, ..., flags fSrpau, TOS 00, TTL 42, started at 00:27:19 And here's the Whois data inetnum: 213.156.130.0 - 213.156.136.255 netname: CSSMPSNET descr: Central Switching Station of MRT RF descr: Russia country: RU admin-c: KD544-RIPE tech-c: KD544-RIPE status: ASSIGNED PA notify: netadmin () css-mps ru mnt-by: TRANSINFORM-MNT changed: netadmin () css-mps ru 20000214 changed: alex () tsi ru 20000223 source: RIPE route: 213.156.128.0/19 descr: Company Transinform origin: AS12979 notify: noc () tsi ru mnt-by: TRANSINFORM-MNT changed: sergey () tsi ru 20000223 source: RIPE person: Dmitry V Kirosov address: 2/1 Kalanchovskaya street address: Moscow address: RU-107174 phone: +7 095 262-2620 fax-no: +7 095 262-1531 e-mail: dvk () css-mps ru nic-hdl: KD544-RIPE changed: pasha () glasnet ru 19980917 source: RIPE Mr. I. Network Engineer / Ops Manager Narellan (NorthEast) Inc.
Current thread:
- Scans from Russia Infrastructure Dept. (Sep 20)
- Re: Scans from Russia Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: Scans from Russia Adam Pendleton (Sep 21)