Port Scanning (perhaps related to "A very strange port scan")

[warren () BELFER ORG (Warren Belfer)]

Hi,

A friend of mine gave me some logs he has collected, to see if I could shed
any light on them - as it turns out, it seems that I need the help of this
group.

For some time now, his site been receiving a bunch of really odd packets.
They come in groups of about 10, over the course of a few minutes. A few
minutes later another similar group of about 10 packets shows up with a
different IP source address but the same group of source ports. The
destination ports seem almost random most of the time (although the sample
below is less random than most) The port list provided by Russel Fulton in
the thread "A very strange port scan" bears a remarkable resemblance more
typical of what this guy is seeing.

The flags are most interesting, as many of the combinations don't seem to be
legal; looks a lot like a FIN scan, but I cannot imagine why this is going
on for weeks.  The packets are all being silently dropped on the floor by
the firewall, so the sender shouldn't be getting any feedback that would
encourage them to continue.  Over the last weekend, this was repeated with
over three hundred different host IP addresses, almost half of them from the
same domain. On the other hand, I'm guessing the addresses are probably
spoofed. (or lots and lots of comprimised systems are probing this guy's site)

Most of the packets are empty, but many have option 120 (unknown) set and
lots of data, even though the length shows as short - Excerpt below

Anybody got any ideas?

Warren

Packets from firewall log (ipfilter)
Feb 15 07:51:06 server1.evil.com,30975 ->
        fw.target.com,49180 PR tcp len 20 48 -ARSFUP
Feb 15 07:51:12 server1.evil.com,29545 ->
        fw.target.com,29797 PR tcp len 20 430 -FUP
Feb 15 07:52:17 server1.evil.com,30973 ->
        fw.target.com,49180 PR tcp len 20 48 -ARFUP
Feb 15 07:52:18 server1.evil.com,30975 ->
        fw.target.com,49172 PR tcp len 20 40 -ARSFUP
Feb 15 07:52:20 server1.evil.com,30969 ->
        fw.target.com,32800 PR tcp len 20 52 -AFUP
Feb 15 07:52:22 server1.evil.com,30973 ->
        fw.target.com,49172 PR tcp len 20 40 -ARFUP
Feb 15 07:52:50 server1.evil.com,30974 ->
        fw.target.com,49172 PR tcp len 20 40 -ARSUP
Feb 15 07:53:00 server1.evil.com,30972 ->
        fw.target.com,49172 PR tcp len 20 40 -ARUP
Feb 15 07:53:04 server1.evil.com,30972 ->
        fw.target.com,32788 PR tcp len 20 40 -ARUP
Feb 15 07:53:11 server1.evil.com,30973 ->
        fw.target.com,49172 PR tcp len 20 40 -ARFUP
Feb 15 07:53:20 server1.evil.com,30969 ->
        fw.target.com,32788 PR tcp len 20 40 -AFUP
Feb 15 07:54:13 server1.evil.com,30973 ->
        fw.target.com,49180 PR tcp len 20 48 -ARFUP
Feb 15 07:54:17 server1.evil.com,30969 ->
        fw.target.com,32788 PR tcp len 20 470 -AFUP

Body of the packet includes (everything after the header):

TCP:    - Option 120 (unknown - 250 bytes)
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC801478FC
801478FC801478FC801478FC801478FC801478FC801478FC8014