Re: Pretty stealthy SSH scanning seen on the Internet.

["Crist J. Clark" <cristjc () earthlink net>]

On Sun, Sep 09, 2001 at 02:40:36PM -0400, Erik Fichtner wrote:
> Hi all, 
>
> Spotted a pretty interesting bit of activity this morning from what appears
> to be a compromised x86 Cobalt (linux).     The thing was either
> slow-scanning the network, or doing some kind of interleaved scan that
> makes it appear to be a slow-scan on the target networks.  The initial
> behavior is to scan a host with a SYN packet with matching source and
> destination ports, and if the host is responsive, it launches another 
> thread to make an actual connect() to the ssh port to gather version
> information.

[snip]

> When the thing is scanning unresponsive hosts, the following behavior is
> seen:
>
> 16:48:53.182470 199.171.27.50.22 > xx.xx.xx.xx.22: S [tcp sum ok] 1930393454:1930393454(0) win 39631 (ttl 114, id 
> 51449)
>   0000: 4500 0028 c8f9 0000 7206 29d6 c7ab 1b32  E..(Èù..r.)ÖÇ«.2
>   0010: xxxx xxxx 0016 0016 730f 776e 3e1b e0b9  xxxx....s.wn>.à¹
>   0020: 5002 9acf b593 0000 8888 8888 8888       P..ϵ.........

[snip]

> We see that the ttl jumps around a lot and that each of the SYN packets ends 
> with "0000 8888 8888 8888".  Since this is a hand-crafted packet, this seems 
> to suggest a bug in the scanner that can be fingerprinted.  

The "8888 8888 8888" are not part of the packet. Note that the IP
datagram length is 40 bytes (the 0x28 at bytes 2 and 3 in the packet)
which means everything up to the "0000" is part of the datagram. That
stuff at the end is whatever your gateway uses to pad the Ethernet
frames. It did not come from the IP source.
-- 
Crist J. Clark                           cjclark () alum mit edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com