Security Incidents mailing list archives
Re: Help with an odd log file...
From: "Fabio Panigatti" <ml-panigatti () minerprint it>
Date: Mon, 9 Jun 2003 18:58:27 +0200
No other bright idea's, now. Since it seems that also routeable address (unlike the first one) are involved, I arranged a simple honeypot, but until now only 126.123.252.5 still try to connect.
IP address | src port ----------------------- 198.68.128.8 29301 205.251.214.254 38039 211.170.36.114 7325 217.208.230.223 33798 219.165.104.24 38039 62.110.19.3 6174 64.146.4.132 38039 64.219.62.94 38039 81.48.67.20 1025 A dozen routable ip address apparently contacted my honeypot but none of them ACKed o RSTed my SYN/ACK (no response at all). I arranged a real time scanner to do a couple of probes on the source ip address in order to test if the host is up and running right when the SYN arrives (so I can find if the ip address was spoofed) and what operating system is running. Maybe the SYN/ACK is like a cookie forged by some backdoor: if the header fields aren't the expected ones or the payload is empty (like it should be) and doesn't contain some expected data, the client part drops the packets. Maybe the "attacker" checks that the src ip is down before to use it to spoof the source of the packet (why?). Maybe the SYN/ACKs or the RSTs are enough for the attacker's purposes. I contacted some of the abuse desks of the originating networks. No reply for now. Below there's a [useless] snort trace of one connection attempt. Fabio Panigatti ---------------------------------------------------------------------- 06/06-16:50:11.764906 217.208.230.223:33798 -> <mioip>:41240 TCP TTL:107 TOS:0x38 ID:58793 IpLen:20 DgmLen:52 ******S* Seq: 0x980D2856 Ack: 0x0 Win: 0xDA00 TcpLen: 32 TCP Options (6) => MSS: 1402 NOP WS: 2 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:50:11.765568 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:50:15.762590 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:50:21.762609 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:50:33.962555 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:50:57.962580 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/06-16:51:46.162567 <mioip>:41240 -> 217.208.230.223:33798 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Help with an odd log file... sec_slave (Jun 03)
- Re: Help with an odd log file... morning_wood (Jun 04)
- Re: Help with an odd log file... Fabio Panigatti (Jun 05)
- Re: Help with an odd log file... Fabio Panigatti (Jun 10)
- <Possible follow-ups>
- RE: Help with an odd log file... Brad Bemis (Jun 05)
- Re: Help with an odd log file... sec_slave (Jun 05)
- RE: Help with an odd log file... Golden Faron P Contr HQ SSG/SWSN (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 09)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 09)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 12)
- Re(2): Help with an odd log file... Ken Eichman (Jun 10)
- Re: Help with an odd log file... James C. Slora Jr. (Jun 10)