Re: Help with an odd log file...

["Fabio Panigatti" <ml-panigatti () minerprint it>]

> No other bright idea's, now. Since it seems that also routeable address 
> (unlike the first one) are involved, I arranged a simple honeypot, but 
> until now only 126.123.252.5 still try to connect.

IP address   | src port
-----------------------
198.68.128.8      29301
205.251.214.254   38039
211.170.36.114     7325
217.208.230.223   33798
219.165.104.24    38039
62.110.19.3        6174
64.146.4.132      38039
64.219.62.94      38039
81.48.67.20        1025

A dozen routable ip address apparently contacted my honeypot but none of 
them ACKed o RSTed my SYN/ACK (no response at all). I arranged a real time 
scanner to do a couple of probes on the source ip address in order to test 
if the host is up and running right when the SYN arrives (so I can find if 
the ip address was spoofed) and what operating system is running. Maybe
the SYN/ACK is like a cookie forged by some backdoor: if the header fields 
aren't the expected ones or the payload is empty (like it should be) and
doesn't contain some expected data, the client part drops the packets. Maybe 
the "attacker" checks that the src ip is down before to use it to spoof the 
source of the packet (why?). Maybe the SYN/ACKs or the RSTs are enough for 
the attacker's purposes.

I contacted some of the abuse desks of the originating networks. No reply
for now.

Below there's a [useless] snort trace of one connection attempt.


Fabio Panigatti

----------------------------------------------------------------------
06/06-16:50:11.764906 217.208.230.223:33798 -> <mioip>:41240
TCP TTL:107 TOS:0x38 ID:58793 IpLen:20 DgmLen:52
******S* Seq: 0x980D2856 Ack: 0x0 Win: 0xDA00 TcpLen: 32
TCP Options (6) => MSS: 1402 NOP WS: 2 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:50:11.765568 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:50:15.762590 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:50:21.762609 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:50:33.962555 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:50:57.962580 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/06-16:51:46.162567 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------------------------------------------------------------------------
----------------------------------------------------------------------------