RE: SYN FIN Scan with src port == dst port

["Fernando Cardoso" <fernando.cardoso () whatevernet com>]

Hi Nicolas
> here some logs from probes done by compromised boxes.
> The first one (hacked_1) is a default RedHat 6.2 and the second one
> (hacked_2) is a default Cobalt 5.0
> Admins have been notified.
>
> Jun 17 21:23:22 my_box_1 snort[468]: SCAN-SYN FIN: hacked_1:511 ->
> my_box_1:511
> Jun 17 21:23:22 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_1:511 ->
> my_box_2:511
[...]
.
> Every packet have the same values for a few fields :
> TOS:0x0 ID:39426 IpLen:20 DgmLen:40 Win: 0x404  TcpLen: 20
>
> Have you ever seen that ?

Everytime :) This is for sure a synscan probe. It has all the symptoms:
source port=destination port, ID=39426 and Window=404.

If you were using the Whitehats signatures for Snort you would find a rule
for that sort of scan.

Cheers

Fernando


--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------