Security Incidents mailing list archives
Strange packets (IDS28/probe-nmap_tcp_ping)
From: Wozz <wozz+incidents () WOOKIE NET>
Date: Mon, 5 Feb 2001 12:35:21 -0700
I've received some strange packets the last few days on one of my IDS sensors. I assume these were generated by nmap -g 80. Whats curious to me is how slow and random the scan appears. It hits a few IP's more than once, hits a few random high level ports. There seems to be no sense to it. Has anyone seen similar traffic? Any thoughts as to what they're trying to accomplish? [**] IDS28/probe-nmap_tcp_ping [**] 02/05-02:47:51.939125 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.168:25 TCP TTL:53 TOS:0x0 ID:5610 IpLen:20 DgmLen:40 ***A**** Seq: 0x136 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/05-03:21:27.716890 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.163:25 TCP TTL:53 TOS:0x0 ID:37820 IpLen:20 DgmLen:40 ***A**** Seq: 0x1D1 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/04-04:43:25.631670 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.42:38838 TCP TTL:53 TOS:0x0 ID:38476 IpLen:20 DgmLen:40 ***A**** Seq: 0x33 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/04-17:47:00.024980 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:53792 IpLen:20 DgmLen:40 ***A**** Seq: 0x30B Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/04-21:51:38.517553 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:36244 IpLen:20 DgmLen:40 ***A**** Seq: 0x3A3 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/05-01:38:40.551743 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:106 IpLen:20 DgmLen:40 ***A**** Seq: 0x23F Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/03-04:25:37.056448 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.163:25 TCP TTL:53 TOS:0x0 ID:61412 IpLen:20 DgmLen:40 ***A**** Seq: 0x388 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/03-15:22:45.495337 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.192:25 TCP TTL:53 TOS:0x0 ID:32070 IpLen:20 DgmLen:40 ***A**** Seq: 0x1B0 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/03-21:49:08.168186 0:B0:4A:9B:D0:38 -> 8:0:20:C2:1A:58 type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.42:26291 TCP TTL:53 TOS:0x0 ID:25314 IpLen:20 DgmLen:40 ***A**** Seq: 0x2B6 Ack: 0x0 Win: 0x400 TcpLen: 20 -- [**] IDS28/probe-nmap_tcp_ping [**] 02/02-21:01:28.924438 0:B0:4A:9B:D0:38 -> 8:0:20:C2:5:5E type:0x800 len:0x3C 63.119.91.2:80 -> a.b.c.188:25 TCP TTL:53 TOS:0x0 ID:43108 IpLen:20 DgmLen:40 ***A**** Seq: 0x143 Ack: 0x0 Win: 0x400 TcpLen: 20
Current thread:
- Strange packets (IDS28/probe-nmap_tcp_ping) Wozz (Feb 05)