Follow up "nmap" scans

[Lance Spitzner <lance () spitzner net>]

Early this morning I posted to the nmap group
asking if a scan was nmap, and if not, what could
it be.  First, I apologize if I have digressed from 
the listserv, this will be my last posting on the 
thread.  Second, thanks to everyone who responded, 
however the scan is not BO or BO2K related.

First, the signatures again (captured with snort).

05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242 
***FRP** Seq: 0xA1D95   Ack: 0x53   Win: 0x400

thru

05/20-17:06:45.071544 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242 
***FRP** Seq: 0xA1D95   Ack: 0x53   Win: 0x400

The source of the packets is port 31337, scanning dest
ports 1-1024.  However, the packets are not BO. One, they
are TCP (BO is UDP).  Also, the packets are FIN/RST/PUSH,
which no natural TCP stack would create.  Also, I have this
response from Dildog.

--- snip snip ---

A bo2k scanner would never come -from- port 31337.
Something might scan -you- for sockets listening on 31337, but not
the other way around. Regardless, this would have been BO, not BO2K,
since BO2K doesn't have a default port. 
This just looks like a regular port scan to me with a fixed local port.

--- end ---

Second, I doubt that these are created by nmap.  Note the same IP ID,
Seq, Ack, and Win: numbers are used throughout the scan (a feature
that I believe Fyodor fixed long ago).  Also, I do not believe that 
nmap has a F/R/P TCP FLAG option.

Third, the owner of the IP addressed told me that there is no
system on 192.160.13.4, this means the packets were most likely spoofed.

Very bizarred indeed.  Once again, thanks for your input.  If you
have any ideas, I would love to hear from you, however please email
me directly.  I don't want to consume any more of Fyodor's bandwidth :)

Thanks!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html