Security Incidents mailing list archives
Possible Probe = Possible Malfunction
From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Tue, 25 Jan 2000 18:03:37 -0800
Hi there, Recently I've had a large number of people report similar probes from all over the place. Its a strange TCP Flag combination, but the payload looks like its some sort of "error" packet. Almost every combination has either the TCP flags pegged with 0xff or completely NULL with 0x00. Could be broken equipment, but it could also be a stealthy probe. I do not think this is an overflow attempt. The other neat thing is that these packets appear to be sent during a web download. What follows are two views of the same data using the mklog Dragon analysis tool. Here are three different examples from three different sites all from the last day or so : ============================================================================ ==== XXXXXXXXXXXXXX (Towards) 04:21:59 SOURCE: XXX.XXX.XXX.XXX DEST: XXX.XXX.XXX.XXX ---------------------------------------------------------------------------- ---- 45 00 02 40 1a ed 00 00 33 06 7d ed XX XX XX XX XX XX XX XX E..@....3.}.XXXXXXXX 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x..,x.., 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c 78 ff 82 2c x..,x..,x..,x.., ---------------------------------------------------------------------------- ---- EVENT1: [TCP-FLAGS] (flags:11FSRPAU,dp=33324,sp=30975) ============================================================================ ==== XXXXXXXXXXXXXX (Towards) 08:12:24 SOURCE: XXX.XXX.XXX.XXX DEST: XXX.XXX.XXX.XXX ---------------------------------------------------------------------------- ---- 45 00 00 28 47 d8 00 00 35 06 36 d6 XX XX XX XX XX XX XX XX E..(G...5.6.XXXXXXXX 78 ff 80 14 78 ff 80 14 78 ff 80 14 78 ff 80 14 78 ff 80 14 x...x...x...x...x... ---------------------------------------------------------------------------- ---- EVENT1: [TCP-FLAGS] (flags:11FSRPAU,dp=32788,sp=30975) ============================================================================ ==== dragon-sniffer (Towards) 05:25:18 SOURCE: xxx.xxx.xxx.xxx DEST: xxx.xxx.xxx.xxx ---------------------------------------------------------------------------- ---- 45 10 01 37 70 a5 40 00 71 06 be 10 XX XX XX XX XX XX XX XX E..7p.@.q...XXXXXXXX 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 78 ff 81 24 x..$x..$x..$x..$x..$ 78 ff 81 24 78 ff 81 24 78 ff 81 x..$x..$x.. ---------------------------------------------------------------------------- ---- EVENT1: [TCP-FLAGS](flags:11FSRPAU,dp=33060,sp=30975) Here are the same events listed and sorted based on the IP address sending the strange TCP flag combinations. The 'DYNAMIC' events is a feature of Dragon which simple starts to sniff and record traffic after an event has occurred: ** Make Logs Tool - Copyright 1999 Network Security Wizards ** http://www.securitywizards.com ** Printing 'dragon.log' style data ** Searching for all packets to/from IP1.IP1.IP1.IP1 ** Date: Tuesday January 25 2000 13:13:25 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16940,sp=30975) (dragon-sensor) 13:13:25 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1241,dp=80,flags=---A----) (dragon-sensor) 13:13:25 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=5988,dp=1284,flags=---AP---) (dragon-sensor) 13:13:25 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1241,flags=---A----) (dragon-sensor) 13:13:25 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1241,dp=80,flags=---A----) (dragon-sensor) 13:13:26 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1241,flags=---A----) (dragon-sensor) 13:19:34 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16940,sp=30975) (dragon-sensor) 13:19:34 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:19:34 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:19:34 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---A----) (dragon-sensor) 13:19:34 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:19:34 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:20:59 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16728,sp=30975) (dragon-sensor) 13:20:59 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=30721,dp=49172,flags=-------F) (dragon-sensor) 13:21:00 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:00 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---A----) (dragon-sensor) 13:21:00 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:00 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:01 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16620,sp=30975) (dragon-sensor) 13:21:01 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:01 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:01 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:01 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:01 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:02 [F] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16620,sp=30975,repeat=1) (dragon-sensor) 13:21:23 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16724,sp=30975) (dragon-sensor) 13:21:23 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:23 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:23 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:23 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:23 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:56 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16496,sp=30975) (dragon-sensor) 13:21:56 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:21:56 [F] IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 [DYNAMIC] (tcp,sp=1251,dp=80,flags=---A----) (dragon-sensor) 13:21:56 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---A----) (dragon-sensor) 13:21:56 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---A----) (dragon-sensor) 13:21:56 [T] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [DYNAMIC] (tcp,sp=80,dp=1251,flags=---AP---) (dragon-sensor) 13:22:12 [F] IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 [TCP-FLAGS] (flags:11FSRPAU,dp=16496,sp=30975,repeat=1) (dragon-sensor) Ron Gula Network Security Wizards http://www.securitywizards.com
Current thread:
- Re: PC Anywhere client seems to probe class C of connected networks, (continued)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)
- Re: Strange DNS/TCP activity technot (Jan 27)