Re: Help! Very wierd traffic.

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2003-02-19 at 11:30, Yonah Russ wrote:
> Hi,
>   I am getting some very weird traffic from a network. It shows up in
> snort as NMAP TCP Scans and MISC source port 53 < 1024 alerts but there
> really seems to be a whole conversation- I can't figure out what the
> conversation is about though- it doesn't match any protocol in ethereal.
>
>   Here is a dump of the traffic- any ideas?
>
>
> 02/19-16:39:34.375895 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852
> UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38
> Len: 18
> 00 00 00 00 00 00 00 00 00 00                    ..........
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376092 xxx.xxx.xxx.xxx -> 212.25.105.34
> ICMP TTL:255 TOS:0x0 ID:27737 IpLen:20 DgmLen:66 DF
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 212.25.105.34:55 -> xxx.xxx.xxx.xxx:37852
> UDP TTL:55 TOS:0x0 ID:46272 IpLen:20 DgmLen:38
> Len: 18
> ** END OF DUMP
> 45 00 00 26 B4 C0 00 00 37 11 FD 25 D4 19 69 22  E..&....7..%..i"
> 93 A1 01 04 00 37 93 DC 00 12 99 D5 00 00 00 00  .....7..........
> 00 00 00 00 00 00                                ......


Oh, thanks. Doesn't help much to obfuscate your address with x.x.x. when
it's still in the packet dump ;)

Let's see. 212.25.105.34 sent you (147.161.1.4) a UDP packet to your
port 37852. The source port was 55. Strangely enough, it's the same as
the TTL. I'll bet a six-pack that this packet was part of a traceroute
(increasing source port number as it's increasing the TTL).

A TTL of 55 seems a bit high though, given that both of you are in
Israel. You might want to do a traceroute to his IP and confirm the TTL.

Next... 

> 02/19-16:39:34.376328 212.25.105.34:80 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46274 IpLen:20 DgmLen:40
> ***A**** Seq: 0x38A  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376424 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:80
> TCP TTL:64 TOS:0x0 ID:27738 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0x0  Ack: 0x0  Win: 0x0  TcpLen: 20

He is doing an ACK scan with nmap to your DNS port. Your box responds
with a Reset.

(I have confirmed that you have indeed port 53 open on that IP).

Next...

> 02/19-16:39:34.376758 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46275 IpLen:20 DgmLen:40
> ******S* Seq: 0x4EB90C61  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:34.376926 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53
> TCP TTL:64 TOS:0x0 ID:27739 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x78F6EB69  Ack: 0x4EB90C62  Win: 0xC0A0  TcpLen: 24
> TCP Options (1) => MSS: 1460 
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:37.738097 xxx.xxx.xxx.xxx:53 -> 212.25.105.34:53
> TCP TTL:64 TOS:0x0 ID:27740 IpLen:20 DgmLen:44 DF
> ***A**S* Seq: 0x78F6EB69  Ack: 0x4EB90C62  Win: 0xC0A0  TcpLen: 24
> TCP Options (1) => MSS: 1460 
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 02/19-16:39:39.372827 212.25.105.34:53 -> xxx.xxx.xxx.xxx:53
> TCP TTL:55 TOS:0x0 ID:46590 IpLen:20 DgmLen:40
> *****R** Seq: 0x4EB90C62  Ack: 0x0  Win: 0x578  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

He is telnetting to your DNS port from port 53. Most likely not by hand
(as that would be a high port number on his end). My guess is either an
nmap TCP scan, or some tool, perhaps netcat. I don't think it was a
version.bind attempt since there was really no data exchanged in that
session (look at the tcplen).

So what do we got? A scan, reconnaissance probe, nothing more.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part