Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Anomalous tcp scan

From: Matthew Hall <matt () ecsc co uk>
Date: Tue, 13 Apr 2004 14:40:26 +0100
Hi incidents,
        Spotted what looks like a fingerprinting session run against one of my
webservers the other day (inlined below).
Just happened to be logged and dropped as I have a set of iptables rules
which drop packets with anomalous combinations of tcp settings (an
attempt at traffic normalisation).
Anyone got a definitive answer on what this is? It looks to me like an
attempt at fingerprinting based on some sort of xmas style scan or maybe
an exploit attempt based on an extension of the syn/fin vuln...
Anyone got an idea if this is an automated/manual scan? (time delay
makes me think manual).

Apr  6 15:38:33 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=62661 DF 
PROTO=TCP SPT=33099 DPT=80 WINDOW=9139 RES=0x1c ACK PSH RST SYN URGP=27150
Apr  6 15:43:42 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=62993 DF 
PROTO=TCP SPT=33099 DPT=80 WINDOW=37400 RES=0x28 RST SYN URGP=16384
Apr  6 16:04:08 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63966 DF 
PROTO=TCP SPT=33099 DPT=80 WINDOW=53361 RES=0x08 CWR URG ACK RST SYN URGP=3833
Apr  6 16:04:13 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63971 DF 
PROTO=TCP SPT=33099 DPT=80 WINDOW=15407 RES=0x28 CWR ECE URG ACK PSH RST FIN URGP=17641
Apr  6 16:04:16 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63976 DF 
PROTO=TCP SPT=33099 DPT=80 WINDOW=35843 RES=0x08 CWR URG PSH SYN FIN URGP=62489
Apr  6 16:57:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10624 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=8181 RES=0x38 CWR URG PSH RST FIN URGP=49327
Apr  6 17:02:50 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10770 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=1795 RES=0x00 RST FIN URGP=776
Apr  6 17:02:50 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10770 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=1795 RES=0x00 RST FIN URGP=776
Apr  6 17:03:03 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10793 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=42184 RES=0x2c CWR ACK RST FIN URGP=27400
Apr  6 17:03:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10845 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=1471 RES=0x30 CWR ECE URG RST SYN URGP=54736
Apr  6 17:03:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10845 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=1471 RES=0x30 CWR ECE URG RST SYN URGP=54736
Apr  6 17:03:55 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10850 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=42172 RES=0x2c CWR ACK RST FIN URGP=4223
Apr  6 17:13:34 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=11504 DF 
PROTO=TCP SPT=33155 DPT=80 WINDOW=53953 RES=0x38 CWR ECE PSH RST URGP=50288


Cheers,
Matt

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: