Snort mailing list archives
Re: Anomalous packet logged by Snort
From: Dan Hawrylkiw <idontcheckthisaccount () panira net>
Date: Sun, 07 Apr 2002 12:16:39 -0700
The packets were logged correctly. This is the signature of Grim's Ping- a scanning tool that looks for FTP servers with directories that anonymous users can write to (In other words- new warez sites). The tool logs in as anonymous and authenticates with Xgpuser () home com (where X is any uppercase letter). It tries to find and write to commonly used FTP directories and reports successes to the attacker..
The author claims its purpose is for "spreading wealth": ___>>This program was released in hopes that the general public would get >>hooked on scanning public sites and would help "spread the wealth."
___ The tool's homepage is http://grimsping.cjb.net/ /Dan Hawrylkiw CISSP, GCIA, RHCE Phoenix Area Network Intrusion Research Alliance _____________________________________________________________ Bill McCarty wrote:
Today, I noticed an FTP attack among my Snort alerts. I see such attacks every day or two and follow them up diligently. The only hosts on my network that run FTP are honeypots, so such attacks are never false positives. When I investigated, I found one rather odd packet.Here's a tcpshow dump of the packet:Packet 110 TIME: 06:35:00.865192IP: 62.254.50.140 -> xxx.xxx.xxx.xxx hlen=20 TOS=10 dgramlen=159id=0000MF/DF=0/0 frag=0 TTL=240 proto=TCP cksum=0000 TCP: port 2929 -> 21 seq=2905996287 ack=1728071789 hlen=20 (data=119) UAPRSF=011000 wnd=5840 cksum=0000 urg=0 DATA: QUIT. xxx-xxxxxxPASS Dgpuser () home com. CWD /pub/. MKD 020407143116p. CWD /public/. CWD /pub/incoming/. CWD /incoming/.The packet has several unusual features. Prominent among them are the presence of the string xxx-xxxxxx, which I've obfuscated. The actual value of the string is the name of a sensitive host within my internal network. Since no externally visible DNS server knows the name of this host, the presence of this string concerns me.But, I begin to suspect that the packet has not been correctly logged. For one thing, as I recall, the QUIT command should mark the end of an FTP session. And, I don't recall that the syntax of the FTP PASS command allows a host name in front of the PASS keyword. Also, I notice that the packet ID and checksum are both 0.Q: Has anyone experienced badly logged packets? Or, is it more likely that the packet was correctly logged, despite possible evidence to the contrary?Thanks! --------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Dan Hawrylkiw (Apr 14)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- Re: Anomalous packet logged by Snort Bill McCarty (Apr 07)
- <Possible follow-ups>
- RE: Anomalous packet logged by Snort Hawrylkiw, Dan G (Apr 08)
- Re: Anomalous packet logged by Snort Chris Green (Apr 08)
- RE: Anomalous packet logged by Snort Safka (Apr 14)