Security Incidents mailing list archives
SYN FIN Scan with src port == dst port
From: Nicolas Gregoire <nicolas.gregoire () 7thzone com>
Date: Tue, 19 Jun 2001 11:25:34 +0200
Hi, here some logs from probes done by compromised boxes. The first one (hacked_1) is a default RedHat 6.2 and the second one (hacked_2) is a default Cobalt 5.0 Admins have been notified. Jun 17 21:23:22 my_box_1 snort[468]: SCAN-SYN FIN: hacked_1:511 -> my_box_1:511 Jun 17 21:23:22 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_1:511 -> my_box_2:511 Jun 18 20:52:42 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:21 -> my_box_2:21 Jun 18 20:52:42 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:21 -> my_box_1:21 Jun 18 20:52:52 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 -> my_box_2:111 Jun 18 20:52:52 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 -> my_box_1:111 Jun 18 20:53:01 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:511 -> my_box_2:511 Jun 18 20:53:01 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:511 -> my_box_1:511 Jun 18 20:53:15 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:54321 -> my_box_2:54321 Jun 18 20:53:15 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:54321 -> my_box_1:54321 Jun 18 20:53:24 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:79 -> my_box_2:79 Jun 18 20:53:24 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:79 -> my_box_1:79 Jun 18 20:54:48 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:53 -> my_box_2:53 Jun 18 20:54:48 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:53 -> my_box_1:53 Jun 18 20:54:48 my_box_2 snort[5207]: IDS277 - NAMED Iquery Probe: hacked_2:2232 -> my_box_2:53 Jun 18 20:54:48 my_box_2 named[844]: denied query from [hacked_2].2232 for "version.bind" Jun 18 20:54:48 my_box_2 snort[5207]: MISC-DNS-version-query: hacked_2:2232 -> my_box_2:53 Jun 18 20:55:21 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 -> my_box_2:111 Jun 18 20:55:21 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 -> my_box_1:111 Jun 18 20:56:00 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:1080 -> my_box_2:1080 Jun 18 20:56:00 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:1080 -> my_box_1:1080 The first one has a root shell binded to port 511, not the second one. The strange thing is that these 2 boxes are located in France, like me, and have the same patterns. Every packet have the same values for a few fields : TOS:0x0 ID:39426 IpLen:20 DgmLen:40 Win: 0x404 TcpLen: 20 Have you ever seen that ? Nicob (please excuse my english)
Current thread:
- SYN FIN Scan with src port == dst port Nicolas Gregoire (Jun 19)
- RE: SYN FIN Scan with src port == dst port Fernando Cardoso (Jun 20)
- Synscan on port 2223 Fernando Cardoso (Jun 26)
- Re: Synscan on port 2223 Daniel Martin (Jun 27)
- Synscan on port 2223 Fernando Cardoso (Jun 26)
- RE: SYN FIN Scan with src port == dst port Fernando Cardoso (Jun 20)