Security Incidents mailing list archives
Re: strange logs -- tcp port 16166
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Wed, 25 Jun 2003 19:29:14 -0400
Jerry Shenk wrote Wednesday, June 25, 2003 3:16 PM
Well, that looks like what it is. The window size matches. 15:02:07.620000 yahoobb219046246242.bbtec.net.39770 >
destination.com.44197:
S 3511228839:3511228839(0) win 55808 <mss 1460,nop,wscale
2,nop,nop,sackOK>
15:02:17.350000 yahoobb219046246242.bbtec.net.39770 >
destination.com.44197:
S 3511228839:3511228839(0) win 55808 <mss 1420,nop,wscale
2,nop,nop,sackOK>
Here's a snort decode of the same packet: 06/25-15:02:07.620000 xx:x:xx:xx:xx:xx -> xx:xx:xx:xx:xx:xx type:0x800 len:0x42 219.46.246.242:39770 -> destination:44197 TCP TTL:110 TOS:0x0 ID:20208 IpLen:20 DgmLen:52 ******S* Seq: 0xD14919A7 Ack: 0x0 Win: 0xDA00 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK
Yes, it looks like a perfect match in all respects of the packet, including TTL 100-120, window scale 2 and other options. Typically one definitely spoofed source drones on and on against a target and is periodically joined by other sources that may or may not also be spoofed. The target port number and a lot of other packet info for any particular target appears to remain constant, but each target receives a different combination. The secondary sources are more likely to vary their packet information a little bit - the primary spoofed prober almost never varies anything. http://www.intrusec.com/55808.html has some factual information about a trojan causing similar traffic. Definitely browse the archives of any of your favorite lists. "Help with an odd log file" was the first related thread I recall on the SecurityFocus Incidents list. Google TCP window 55808 for lots of descriptions, partial explanations, entertaining speculation, and correlating details. ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- strange logs -- tcp port 16166 Jiang Peng (Jun 24)
- RE: strange logs -- tcp port 16166 Jerry Shenk (Jun 25)
- <Possible follow-ups>
- RE: strange logs -- tcp port 16166 James C. Slora, Jr. (Jun 25)
- RE: strange logs -- tcp port 16166 Jerry Shenk (Jun 25)
- Re: strange logs -- tcp port 16166 James C. Slora Jr. (Jun 25)
- RE: strange logs -- tcp port 16166 Jerry Shenk (Jun 25)
- Re: strange logs -- tcp port 16166 tcleary2 (Jun 26)
- Re: strange logs -- tcp port 16166 Justin Pryzby (Jun 27)