Snort mailing list archives
Suspect activity: proxy scan attempts, SNMP access, etc
From: "Saken Seifullin" <demetrius13 () mail ru>
Date: Fri, 28 May 2004 08:33:42 +0400
Hello all, I've noticed very suspect activity from one of our hosts of our corporate B-network. Here is the piece of a Snort log file (I changed IP of suspect host to 10.1.1.1, our IP to 10.2.2.2, and third-party IP of ISP router to 11.1.1.1). Please, could you help me to identify what was happend? Thanks a lot in advance! P.S. I tried to log on to https://10.1.1.1 using web brouser and I saw a web page with "PROTEGO Networks" logotype and invitation to log in using name and password. Seems there one of PROTEGO Networks'products is installed on that host. [**] [1:368:4] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:04.125738 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:36641 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS152] [**] [1:368:4] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:05.120881 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:36641 Seq:256 ECHO [Xref => http://www.whitehats.com/info/IDS152] [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:05.227082 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x3C 10.1.1.1 -> 10.2.2.2 ICMP TTL:56 TOS:0x0 ID:3913 IpLen:20 DgmLen:28 Type:8 Code:0 ID:24939 Seq:7060 ECHO [Xref => http://www.whitehats.com/info/IDS162] [**] [1:615:5] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:09.572873 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:32928 -> 10.2.2.2:1080 TCP TTL:61 TOS:0x0 ID:2481 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC68E68AE Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105055 0 NOP WS: 0 [Xref => http://help.undernet.org/proxyscan/] [**] [1:1418:3] SNMP request tcp [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:11.269691 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33031 -> 10.2.2.2:161 TCP TTL:61 TOS:0x0 ID:17572 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC6C2256F Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105227 0 NOP WS: 0 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012] [**] [1:620:6] SCAN Proxy Port 8080 attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:18.118107 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33557 -> 10.2.2.2:8080 TCP TTL:61 TOS:0x0 ID:19425 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC8032F94 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105909 0 NOP WS: 0 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:18.525653 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34237 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33570 TCP TTL:126 TOS:0x0 ID:1583 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103A666 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:19.087067 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34330 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33612 TCP TTL:126 TOS:0x0 ID:1624 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402A766 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:19.787549 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34453 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33654 TCP TTL:126 TOS:0x0 ID:1667 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402A766 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:21.176282 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34734 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6667 -> 10.1.1.1:33789 TCP TTL:126 TOS:0x0 ID:1800 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x4838A966 ** END OF DUMP [**] [1:618:5] SCAN Squid Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:21.527533 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33879 -> 10.2.2.2:3128 TCP TTL:61 TOS:0x0 ID:41907 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC7A6C676 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3106245 0 NOP WS: 0 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:21.819154 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34935 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:33892 TCP TTL:126 TOS:0x0 ID:1902 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AA66 ** END OF DUMP [**] [1:1420:3] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:22.162782 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33943 -> 10.2.2.2:162 TCP TTL:61 TOS:0x0 ID:26627 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC7BA0E01 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3106306 0 NOP WS: 0 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012] [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:22.598958 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35094 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:33971 TCP TTL:126 TOS:0x0 ID:1980 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AA66 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:23.103595 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35172 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34005 TCP TTL:126 TOS:0x0 ID:2014 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402080A ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:23.777658 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35193 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34006 TCP TTL:126 TOS:0x0 ID:2015 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x4600 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:24.415184 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35214 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34009 TCP TTL:126 TOS:0x0 ID:2016 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AC66 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:25.038100 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35221 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34012 TCP TTL:126 TOS:0x0 ID:2017 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402080A ** END OF DUMP [**] [1:628:3] SCAN nmap TCP [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:25.470114 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:44347 -> 10.2.2.2:1 TCP TTL:46 TOS:0x0 ID:62358 IpLen:20 DgmLen:60 ***A**** Seq: 0x2D50C05C Ack: 0x0 Win: 0x800 TcpLen: 40 TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL [Xref => http://www.whitehats.com/info/IDS28] [**] [1:1228:3] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:25.473381 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:44348 -> 10.2.2.2:1 TCP TTL:41 TOS:0x0 ID:26303 IpLen:20 DgmLen:60 **U*P**F Seq: 0x2D50C05C Ack: 0x0 Win: 0x400 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL [Xref => http://www.whitehats.com/info/IDS30] ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suspect activity: proxy scan attempts, SNMP access, etc Saken Seifullin (May 27)
- <Possible follow-ups>
- Re: Suspect activity: proxy scan attempts, SNMP access, etc Saken Seifullin (Jun 06)
- Re: Suspect activity: proxy scan attempts, SNMP access, etc Sean Lazar (Jun 06)