Security Incidents mailing list archives

Re: more info on ramen.tgz

From: Joe Stewart <jstewart () LURHQ COM>
Date: Wed, 17 Jan 2001 15:56:01 -0500

On Wed, 17 Jan 2001, Jeffrey F. Lawhorn wrote:

One more thing I've noticed about the synscan in the ramen.tgz, it sends a

TCP packet to 212.184.80.190 port 80 from port 31337 after it finishes
scanning each /16.

Unfortunately I was unable to capture any of the actual packets.  Did
anyone else manage to capture one of these packets?


It's just a SYN-FIN packet like the rest of the packets it sends out. The point
of this last packet is for Synscan's parent process to tell the child process
when to stop listening for incoming SYN-ACKs.

Of course, this opens Synscan itself to a vulnerability of sorts. If you
receive a scan from a host using Synscan, you can retaliate by sending
a spoofed packet to the scanner, pretending to be from 212.184.80.190.
For instance, if you have hping handy:

hping -p 31337 -s 80 -k -S -A -a 212.184.80.190 ip.address.of.scanner

This will shut down the Synscan listener child process. It won't stop the
scan, but it will prevent the script kiddie from getting any useful
information from the scan from that point on.

-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
jstewart () lurhq com

Current thread:

more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
  - Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)