Snort mailing list archives

Suspect activity: proxy scan attempts, SNMP access, etc

From: "Saken Seifullin" <demetrius13 () mail ru>
Date: Fri, 28 May 2004 08:33:42 +0400
Hello all,

I've noticed very suspect activity from one of our hosts of our corporate B-network. Here is the piece of a Snort log 
file (I changed IP of suspect host to 10.1.1.1, our IP to 10.2.2.2, and third-party IP of ISP router to 11.1.1.1). 
Please, could you help me to identify what was happend? Thanks a lot in advance!

P.S. I tried to log on to https://10.1.1.1 using web brouser and I saw a web page with "PROTEGO Networks" logotype and 
invitation to log in using name and password. Seems there one of PROTEGO Networks'products is installed on that host.

[**] [1:368:4] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:04.125738 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62
10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:36641   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS152]

[**] [1:368:4] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:05.120881 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62
10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:36641   Seq:256  ECHO
[Xref => http://www.whitehats.com/info/IDS152]

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:05.227082 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x3C
10.1.1.1 -> 10.2.2.2 ICMP TTL:56 TOS:0x0 ID:3913 IpLen:20 DgmLen:28
Type:8  Code:0  ID:24939   Seq:7060  ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [1:615:5] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:09.572873 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:32928 -> 10.2.2.2:1080 TCP TTL:61 TOS:0x0 ID:2481 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC68E68AE  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 3105055 0 NOP WS: 0 
[Xref => http://help.undernet.org/proxyscan/]

[**] [1:1418:3] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:11.269691 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:33031 -> 10.2.2.2:161 TCP TTL:61 TOS:0x0 ID:17572 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC6C2256F  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 3105227 0 NOP WS: 0 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]

[**] [1:620:6] SCAN Proxy Port 8080 attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:18.118107 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:33557 -> 10.2.2.2:8080 TCP TTL:61 TOS:0x0 ID:19425 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC8032F94  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 3105909 0 NOP WS: 0 

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:18.525653 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34237 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6668 -> 10.1.1.1:33570 TCP TTL:126 TOS:0x0 ID:1583 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x103A666
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:19.087067 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34330 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6668 -> 10.1.1.1:33612 TCP TTL:126 TOS:0x0 ID:1624 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x402A766
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:19.787549 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34453 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6668 -> 10.1.1.1:33654 TCP TTL:126 TOS:0x0 ID:1667 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x402A766
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:21.176282 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34734 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6667 -> 10.1.1.1:33789 TCP TTL:126 TOS:0x0 ID:1800 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x4838A966
** END OF DUMP

[**] [1:618:5] SCAN Squid Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:21.527533 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:33879 -> 10.2.2.2:3128 TCP TTL:61 TOS:0x0 ID:41907 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC7A6C676  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 3106245 0 NOP WS: 0 

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:21.819154 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34935 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:33892 TCP TTL:126 TOS:0x0 ID:1902 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x103AA66
** END OF DUMP

[**] [1:1420:3] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:22.162782 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:33943 -> 10.2.2.2:162 TCP TTL:61 TOS:0x0 ID:26627 IpLen:20 DgmLen:60 DF
******S* Seq: 0xC7BA0E01  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 3106306 0 NOP WS: 0 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:22.598958 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35094 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:33971 TCP TTL:126 TOS:0x0 ID:1980 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x103AA66
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:23.103595 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35172 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:34005 TCP TTL:126 TOS:0x0 ID:2014 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x402080A
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:23.777658 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35193 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:34006 TCP TTL:126 TOS:0x0 ID:2015 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x4600
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:24.415184 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35214 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:34009 TCP TTL:126 TOS:0x0 ID:2016 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x103AC66
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3] 
05/27-10:55:25.038100 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35221 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
10.2.2.2:6666 -> 10.1.1.1:34012 TCP TTL:126 TOS:0x0 ID:2017 IpLen:20 DgmLen:40
Seq: 0x0  Ack: 0x402080A
** END OF DUMP

[**] [1:628:3] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:25.470114 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:44347 -> 10.2.2.2:1 TCP TTL:46 TOS:0x0 ID:62358 IpLen:20 DgmLen:60
***A**** Seq: 0x2D50C05C  Ack: 0x0  Win: 0x800  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 
[Xref => http://www.whitehats.com/info/IDS28]

[**] [1:1228:3] SCAN nmap XMAS [**]
[Classification: Attempted Information Leak] [Priority: 2] 
05/27-10:55:25.473381 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
10.1.1.1:44348 -> 10.2.2.2:1 TCP TTL:41 TOS:0x0 ID:26303 IpLen:20 DgmLen:60
**U*P**F Seq: 0x2D50C05C  Ack: 0x0  Win: 0x400  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 
[Xref => http://www.whitehats.com/info/IDS30]




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Suspect activity: proxy scan attempts, SNMP access, etc Saken Seifullin (May 27)
- <Possible follow-ups>
- Re: Suspect activity: proxy scan attempts, SNMP access, etc Saken Seifullin (Jun 06)
  - Re: Suspect activity: proxy scan attempts, SNMP access, etc Sean Lazar (Jun 06)