Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Weird Scan

From: centipede <centiped () netvision net il>
Date: Sun, 16 Dec 2001 21:01:03 +0200
Hello,

Today I've received some weird traffic maybe you guys already met.
It was a regular 2-packet-long-SYN-scan to port 80.
My deception tool kit answered the call, with 3 SYN-ACK packets,
only to receive 3 RSTs.
At the first moment I thought it to be a '6sense' kind-of stealth scan,
but investigating the TTL and packet's IP id numbers, I decided both
the SYN and the RST packets came from the same host.
More surprisingly is the fact the dtk logged those attempts as coming
from 192.168.0.3.  (yap, 192.168.0.0 is the local network).
But I'm not sure it's relevant.

Anyone ?

Thanks,
centipede.

{ Attached is the tcpdump log file }
{ Forgive me for dual-posting, I wasn't sure which is more suitable }


20:26:01.046765 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: S 1459731372:1459731372(0) win 8760 <mss 1460,nop,nop,sackOK> 
(DF) (ttl 114, id 39188)
20:26:01.046964 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 
1460,nop,nop,sackOK> (DF) (ttl 64, id 3363)
20:26:03.856766 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: S 1459731372:1459731372(0) win 8760 <mss 1460,nop,nop,sackOK> 
(DF) (ttl 114, id 39453)
20:26:03.856831 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 
1460,nop,nop,sackOK> (DF) (ttl 64, id 3364)
20:26:04.546778 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 
1460,nop,nop,sackOK> (DF) (ttl 64, id 3365)
20:26:06.796775 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 39691)
20:26:09.546766 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 41243)
20:26:10.156776 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 41334)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: