Snort mailing list archives

RE: Anomalous packet logged by Snort

From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Mon, 8 Apr 2002 09:48:58 -0700

Bill,

Each FTP command is issued in a separate packet, so I'm assuming that
TCPshow amalgamated several packets into "one" to keep the logs brief (as
seen in packet 28 below).  Maybe combined logs don't capture checksums in
TCPshow.  As for an explanation why some are logged as individual packets
and others are combined- I don't know (I haven't used TCPShow).  Can you use
other display options or run it through TCPdump?

Additionally, some FTP daemons require @'hostname' in the PASS for anonymous
logins.  That is why Grim's Ping uses a hostname in the password.

Dan Hawrylkiw, CISSP, GCIA
Network Security Engineer - Intel Corp.
Opinions are my own and not my employer's. </legal blahblah>

-----Original Message-----
From: Bill McCarty [mailto:bmccarty () apu edu]
Sent: Sunday, April 07, 2002 12:56 PM
To: snort users list
Cc: Dan Hawrylkiw
Subject: Re: [Snort-users] Anomalous packet logged by Snort


Hi Dan,

Yes, the string "pguser" indicates that Grim's Ping is likely the tool 
being used. But, I don't think that the identity of the tool is sufficient 
to explain all the observed peculiarities.

First, other packets in the session had IDs and checksums other than zero. 
And, it seems to me that my host's TCP/IP stack would reject a packet 
having a checksum of zero, unless that was the mathematically accurate 
value. So, I don't think Grim's Ping could set the ID and checksum to zero 
in every such packet. Therefore, I don't think that these features can be 
part of the tool's signature, even if they are normal. And, my guess is 
that they're not normal.

Also, the QUIT followed by a PASS seems odd. And, the presence of a host 
name in the PASS doesn't seem right, especially when no delimiter separates 
the host name from the keyword PASS. That just can't be.

Still more significantly, it seems to me that there should be only one FTP 
command in the packet, rather than several. This looks to me like an 
amalgamation of recent packets and some random memory cruft.

Moreover, I don't see these features in some other apparent Grim's Ping 
attacks. For instance:

Packet 13
TIME:   06:11:21.524085
  IP:   65.93.233.121 -> xxx.xxx.xxx.xxx hlen=20 TOS=00 dgramlen=63

id=B3B0

        MF/DF=0/1 frag=0 TTL=107 proto=TCP cksum=08C0
 TCP:   port 2590 -> 21 seq=3755518407 ack=1606071601
        hlen=20 (data=23) UAPRSF=011000 wnd=17145 cksum=7AF9 urg=0
DATA:   PASS Ogpuser () home com.


But, I do see at least one other instance of what appears to me to be a 
badly logged packet:

Packet 28
TIME:   06:11:22.416966
  IP:   65.93.233.121 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=166

id=0000

        MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000
 TCP:   port 2590 -> 21 seq=1606071884 ack=3755518533
        hlen=20 (data=126) UAPRSF=011000 wnd=5840 cksum=0000 urg=0
DATA:   8/231/src203.148PASS Ogpuser () home com.
        CWD /pub/.
        MKD 020403080801p.
        CWD /public/incoming/.
        CWD /incoming/.
        CWD /pub/incoming/


So, Grim's Ping is somehow a common element. Could Grim's Ping simply be 
sending packets at a sufficiently rapid rate to overwhelm my Snort? That 
seems to me to answer both the odd packet features and the identity of the 
tool. The packets preceding and following the potentially managled packets 
do bear timestamps less than 1 msec apart. In fact, the following packet in 
each of the two cases has precisely the same timestamp as the potentially 
mangled packet. That'd be less than a 0.001 msec interval.

Then again, I'm hungry and need lunch....

Thanks,



--On Sunday, April 07, 2002 12:16 PM -0700 Dan Hawrylkiw 
<idontcheckthisaccount () panira net> wrote:


The packets were logged correctly.  This is the signature of Grim's Ping-
a scanning tool that looks for FTP servers with directories that
anonymous users can write to (In other words- new warez sites). The tool
logs in as anonymous and authenticates with Xgpuser () home com (where X is
any uppercase letter).  It tries to find and write to commonly used FTP
directories and reports successes to the attacker..

The author claims its purpose is for "spreading wealth":
___
 >>This program was released in hopes that the general public would get

hooked on scanning public sites and would help "spread the wealth."


---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
  - Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
    - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
  - Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)