Security Incidents mailing list archives
Anomalous tcp scan
From: Matthew Hall <matt () ecsc co uk>
Date: Tue, 13 Apr 2004 14:40:26 +0100
Hi incidents, Spotted what looks like a fingerprinting session run against one of my webservers the other day (inlined below). Just happened to be logged and dropped as I have a set of iptables rules which drop packets with anomalous combinations of tcp settings (an attempt at traffic normalisation). Anyone got a definitive answer on what this is? It looks to me like an attempt at fingerprinting based on some sort of xmas style scan or maybe an exploit attempt based on an extension of the syn/fin vuln... Anyone got an idea if this is an automated/manual scan? (time delay makes me think manual). Apr 6 15:38:33 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=62661 DF PROTO=TCP SPT=33099 DPT=80 WINDOW=9139 RES=0x1c ACK PSH RST SYN URGP=27150 Apr 6 15:43:42 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=62993 DF PROTO=TCP SPT=33099 DPT=80 WINDOW=37400 RES=0x28 RST SYN URGP=16384 Apr 6 16:04:08 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63966 DF PROTO=TCP SPT=33099 DPT=80 WINDOW=53361 RES=0x08 CWR URG ACK RST SYN URGP=3833 Apr 6 16:04:13 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63971 DF PROTO=TCP SPT=33099 DPT=80 WINDOW=15407 RES=0x28 CWR ECE URG ACK PSH RST FIN URGP=17641 Apr 6 16:04:16 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=63976 DF PROTO=TCP SPT=33099 DPT=80 WINDOW=35843 RES=0x08 CWR URG PSH SYN FIN URGP=62489 Apr 6 16:57:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10624 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=8181 RES=0x38 CWR URG PSH RST FIN URGP=49327 Apr 6 17:02:50 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10770 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=1795 RES=0x00 RST FIN URGP=776 Apr 6 17:02:50 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10770 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=1795 RES=0x00 RST FIN URGP=776 Apr 6 17:03:03 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10793 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=42184 RES=0x2c CWR ACK RST FIN URGP=27400 Apr 6 17:03:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10845 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=1471 RES=0x30 CWR ECE URG RST SYN URGP=54736 Apr 6 17:03:49 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10845 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=1471 RES=0x30 CWR ECE URG RST SYN URGP=54736 Apr 6 17:03:55 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=10850 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=42172 RES=0x2c CWR ACK RST FIN URGP=4223 Apr 6 17:13:34 kernel: TCPANOM: IN=eth0 OUT= SRC=68.2.141.76 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=11504 DF PROTO=TCP SPT=33155 DPT=80 WINDOW=53953 RES=0x38 CWR ECE PSH RST URGP=50288 Cheers, Matt
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Anomalous tcp scan Matthew Hall (Apr 14)