Re: Very Strange Attack

[Fernando Cardoso <fernando.cardoso () WHATEVERNET COM>]

It sounds like some sort of OS fingerprinting like the one nmap
implements. It just send weird packets with all kind of invalid
combinations of flags and options and tries to figure out what kind of
OS is running by analizing the replies.

Just my $0.02

Fernando


>         A quick search at Snort.conf Port Database and on my Palm TCP/UDP
> Ports text didn't returned anything about the Sport or the Dport.
>
>         I guess that it can be a particular rootkit/worm backdoor port,
> that the attacker can be looking for. Or maybe, if others machine were
> hit by the same pkt, he is just using this destination port to map your
> network (instead of using ping, he tries to connect and listen for the
> RSTS).
>
>         Any other ideas, anyone?
>
> Cheers,
> ---
> Osvaldo J. Filho
> Unix Security Specialist/Consultant
> <osvaldojaneri () uol com br>
> ---
>
> On Wed, 7 Feb 2001, Mendoza, Luis wrote:
>
> > Hi everybody,
> >
> > I had received this traffic from Internet, in all cases the destinations
> > port are not well-known but are the same (TCP:21536) and the source port
> > idem (TCP:18245)
> >
> > Is this traffic associated to some kind of attack or anything else?
> >
> > Thanks
> >
> > Luis Mendoza
> >
> > Feb  3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U
> > Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> > Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U
> > RESERVEDBITS
> > Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
> > RESERVEDBITS
> > Feb  3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
> > RESERVEDBITS
> >
> > Feb  3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U
> > Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> > Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U
> > RESERVEDBITS
> > Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
> > RESERVEDBITS
> > Feb  3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
> > RESERVEDBITS
> > Feb  3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> >
> > Feb  3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U
> > Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> > Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U
> > RESERVEDBITS
> > Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
> > RESERVEDBITS
> > Feb  3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
> > RESERVEDBITS
> > Feb  3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> >
> > Feb  4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U
> > Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
> > RESERVEDBITS
> > Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U
> > RESERVEDBITS
> > Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
> > RESERVEDBITS

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso
6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/

_____________________________________________________________________
                      INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------