Security Incidents mailing list archives
Re: more info on ramen.tgz
From: Joe Stewart <jstewart () LURHQ COM>
Date: Wed, 17 Jan 2001 15:56:01 -0500
On Wed, 17 Jan 2001, Jeffrey F. Lawhorn wrote:
One more thing I've noticed about the synscan in the ramen.tgz, it sends aTCP packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning each /16. Unfortunately I was unable to capture any of the actual packets. Did anyone else manage to capture one of these packets?
It's just a SYN-FIN packet like the rest of the packets it sends out. The point of this last packet is for Synscan's parent process to tell the child process when to stop listening for incoming SYN-ACKs. Of course, this opens Synscan itself to a vulnerability of sorts. If you receive a scan from a host using Synscan, you can retaliate by sending a spoofed packet to the scanner, pretending to be from 212.184.80.190. For instance, if you have hping handy: hping -p 31337 -s 80 -k -S -A -a 212.184.80.190 ip.address.of.scanner This will shut down the Synscan listener child process. It won't stop the scan, but it will prevent the script kiddie from getting any useful information from the scan from that point on. -Joe -- Joe Stewart Information Security Analyst LURHQ Corporation jstewart () lurhq com
Current thread:
- more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
- Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)