Scan that doesn't make sense

[Johan Augustsson <johan.augustsson () adm gu se>]

Since I went home yesterday we've had two wierd scans. They look wierd
for two reasons.

1. We did not log all traffic from the causing system, just the origin
snort ruleset and some custom ones.

2. In one case the ICMP Echo Replys comes after the scan has been initiated.



Exerpts from logfiles:

[2002-02-06 03:02:57] 62.54.132.238:4794 -> *.*.*.68:80
WEB-IIS cmd.exe access
[2002-02-06 03:03:02] 62.54.132.238:4797 -> *.*.*.68:80
WEB-IIS cmd.exe access
[2002-02-06 03:03:30] 62.54.132.238:4799 -> *.*.*.68:80
WEB-IIS cmd.exe access
[2002-02-06 03:10:46] 62.54.132.238:4896 -> *.*.*.68:80
WEB-IIS cmd.exe access
[2002-02-06 03:17:13] 62.54.132.238:4983 -> *.*.*.68:21
Generic FTP scan
[2002-02-06 03:17:13] 62.54.132.238:4983 -> *.*.*.68:21
Generic FTP scan
[2002-02-06 03:17:15] 62.54.132.238:4983 -> *.*.*.68:21
Generic FTP scan
[2002-02-06 03:21:18] 62.54.132.238:1515 -> *.*.*.68:80
WEB-IIS cmd.exe access
[2002-02-06 03:27:43] 62.54.132.238:1886 -> *.*.*.68:1080  SCAN
Proxy attempt
[2002-02-06 03:27:43] 62.54.132.238:1886 -> *.*.*.68:1080  SCAN
Proxy attempt
[2002-02-06 03:27:44] 62.54.132.238:1886 -> *.*.*.68:1080  SCAN
Proxy attempt
[2002-02-06 03:19:09] 62.54.132.238 -> *.*.*.68  ICMP superscan echo
[2002-02-06 03:19:51] 62.54.132.238 -> *.*.*.73  ICMP superscan echo
[2002-02-06 03:20:40] 62.54.132.238 -> *.*.*.7  ICMP superscan echo
[2002-02-06 03:22:35] 62.54.132.238 -> *.*.*.68  ICMP superscan echo
[2002-02-06 03:25:26] 62.54.132.238 -> *.*.*.68  ICMP superscan echo
[2002-02-06 03:27:25] 62.54.132.238 -> *.*.*.68  ICMP superscan echo
[2002-02-06 03:27:43] 62.54.132.238 -> *.*.*.68  ICMP superscan echo

This fellow did some ordinary cmd.exe?/c+dir+c: attempts and then some
scans for port 21 and 1080. And _after_ he had scanned the ports we can
see some ICMP Echo Request with 8 bytes of data, all zeroes. I only know
one tool for scanning that sends this kind of ICMP packets and that is
SuperScan from Foundstone, and that one does it before the portscan.
Obviously he must have scanned several other ports after the IMCP
packets but none of the ports that are listed in my snort rules.





[2002-02-05 17:47:57] 64.226.245.15:1438 -> *.*.*.73:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:00] 64.226.245.15:1472 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:00] 64.226.245.15:1474 -> *.*.*.76:80
WEB-IIS CodeRed v2 root.exe access
[2002-02-05 17:48:00] 64.226.245.15:1479 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:00] 64.226.245.15:1484 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:01] 64.226.245.15:1487 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:01] 64.226.245.15:1494 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:48:01] 64.226.245.15:1496 -> *.*.*.76:80
WEB-IIS cmd.exe access
[2002-02-05 17:46:00] 64.226.245.15 -> *.*.*.2 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:03] 64.226.245.15 -> *.*.*.3 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:06] 64.226.245.15 -> *.*.*.4 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:09] 64.226.245.15 -> *.*.*.5 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:12] 64.226.245.15 -> *.*.*.6 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:16] 64.226.245.15 -> *.*.*.7 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:18] 64.226.245.15 -> *.*.*.8 [arachNIDS/162]
ICMP PING NMAP
[2002-02-05 17:46:19] 64.226.245.15 -> *.*.*.9 [arachNIDS/162]
ICMP PING NMAP

Here we have another scan but at least the ICMP Echo Request are mixed
with the other packets in the flow (not in this exerpt though). This one
uses ICMP Echo Request with no data at all.



My question: Is this some sort of knowned worm (have I been too long in
my cave) or what?



/Johan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com