Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

SYN FIN Scan with src port == dst port

From: Nicolas Gregoire <nicolas.gregoire () 7thzone com>
Date: Tue, 19 Jun 2001 11:25:34 +0200
Hi,

here some logs from probes done by compromised boxes.
The first one (hacked_1) is a default RedHat 6.2 and the second one
(hacked_2) is a default Cobalt 5.0
Admins have been notified.

Jun 17 21:23:22 my_box_1 snort[468]: SCAN-SYN FIN: hacked_1:511 ->
my_box_1:511 
Jun 17 21:23:22 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_1:511 ->
my_box_2:511 

Jun 18 20:52:42 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:21 ->
my_box_2:21 
Jun 18 20:52:42 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:21 ->
my_box_1:21 
Jun 18 20:52:52 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 ->
my_box_2:111 
Jun 18 20:52:52 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 ->
my_box_1:111 
Jun 18 20:53:01 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:511 ->
my_box_2:511 
Jun 18 20:53:01 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:511 ->
my_box_1:511 
Jun 18 20:53:15 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:54321 ->
my_box_2:54321 
Jun 18 20:53:15 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:54321 ->
my_box_1:54321 
Jun 18 20:53:24 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:79 ->
my_box_2:79 
Jun 18 20:53:24 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:79 ->
my_box_1:79 
Jun 18 20:54:48 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:53 ->
my_box_2:53 
Jun 18 20:54:48 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:53 ->
my_box_1:53 
Jun 18 20:54:48 my_box_2 snort[5207]: IDS277 - NAMED Iquery Probe:
hacked_2:2232 -> my_box_2:53 
Jun 18 20:54:48 my_box_2 named[844]: denied query from [hacked_2].2232
for "version.bind" 
Jun 18 20:54:48 my_box_2 snort[5207]: MISC-DNS-version-query:
hacked_2:2232 -> my_box_2:53 
Jun 18 20:55:21 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 ->
my_box_2:111 
Jun 18 20:55:21 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 ->
my_box_1:111 
Jun 18 20:56:00 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:1080 ->
my_box_2:1080 
Jun 18 20:56:00 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:1080 ->
my_box_1:1080 

The first one has a root shell binded to port 511, not the second one.
The strange thing is that these 2 boxes are located in France, like me,
and have the same patterns.
Every packet have the same values for a few fields :
TOS:0x0 ID:39426 IpLen:20 DgmLen:40 Win: 0x404  TcpLen: 20

Have you ever seen that ?

Nicob
(please excuse my english)
Previous By Date Next
Previous By Thread Next

Current thread: