[Intrusions] 80 to 3669

Wed Jun 23 17:32:10 GMT 2004

A couple of scenarios come to mind.

Since the IP's resolve to a direct marketing group this is probably some 
kind of spyware to "enhance your shopping experience." 

Smoothwall is a stateful firewall that will eventually time out a 
connection for no activity. These could be rejected from a long standing 
session. Unfortunately the firewall logs do not give the flags so we 
cannot tell if these packets are syn or ack.

If it is an ack then it is the remnants of a long standing session that 
the firewall lost track of.

If it is a syn then they are trying to be stealthy with firewalls that are 
not stateful in order to slip past by looking like it is a reply to a port 
80 session.

The best way to tell is to turn on the Intrusion detection module (Snort 
plug-in) that comes with Smoothwall and make a filter that captures 
everything that involves those two hosts.

"Butterworth, Jim" <jim.butterworth at guidancesoftware.com>
Sent by: intrusions-bounces at lists.sans.org
06/23/2004 07:09 AM
Please respond to "Intrusions List \(GCIA Practicals\)"

        To:     <intrusions at lists.sans.org>
        cc:     (bcc: Bryce Alexander/IT/VGI)
        Subject:        [Intrusions] 80 to 3669

Is the payload HTML, or is there evidence that someone is tunneling 
through port 80 with another tool/app?  Is the dst always the same machine 
on your network?

R/Jim.
GCIA

 -----Original Message-----
From:            intrusions-request at lists.sans.org 
[mailto:intrusions-request at lists.sans.org]
Sent:            Wed Jun 23 05:04:44 2004
To:              intrusions at lists.sans.org
Subject:                 Intrusions Digest, Vol 3, Issue 25

Send Intrusions mailing list submissions to
                 intrusions at lists.sans.org

To subscribe or unsubscribe via the World Wide Web, visit
                 http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
                 intrusions-request at lists.sans.org

You can reach the person managing the list at
                 intrusions-owner at lists.sans.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."

Today's Topics:

   1. odd probes originating from port 80 to 3669/3666 (Gary Hendricks)

----------------------------------------------------------------------

Message: 1
Date: Tue, 22 Jun 2004 20:38:51 +0100
From: "Gary Hendricks" <intrusions at project415.org>
Subject: [Intrusions] odd probes originating from port 80 to 3669/3666
To: <intrusions at lists.sans.org>
Message-ID: <001f01c45890$8cbb5a40$c800a8c0 at stargate>
Content-Type: text/plain; charset="iso-8859-1"

Chaps and chapettes ;-)

I am at wits end with these and has anyone encountered these as well?

The following extract shows some probes that I am not sure what to make 
of:
They all originate from the same domain but 2 different hosts.
Over a 10 day period I got over 11000 of these (see attached text file)

The firewall is Smoothwall 2 express. I rebuilt the machine in case it was
rootkit'd.
I also disconnected all machines behind the firewall to ensure it was not 
a
machine soliciting the attention.

I have edited the excerpt so that it looks neat for the purpose of the
question.

Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=13987 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=14051 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=31170 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=31188 DF PROTO=TCP SPT=80 DPT=3666
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12300 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12360 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=34033 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=34051 DF PROTO=TCP SPT=80 DPT=3666
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12392 PROTO=TCP SPT=80 DPT=3669
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
ID=12459 DF PROTO=TCP SPT=80 DPT=3669
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=36864 PROTO=TCP SPT=80 DPT=3666
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
ID=36882 DF PROTO=TCP SPT=80 DPT=3666

%nslookup 217.20.39.46
Name:    osiris-virtualhosts.ehsbrann.com
Address:  217.20.39.46
Aliases:  46.39.20.217.in-addr.arpa

%nslookup 217.20.39.48
Name:    iris-virtualhosts2.ehsbrann.com
Address:  217.20.39.48
Aliases:  48.39.20.217.in-addr.arpa

-Gary

------------------------------

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

End of Intrusions Digest, Vol 3, Issue 25
*****************************************

Note:  The information contained in this message may be privileged and 
confidential and thus protected from disclosure.  If the reader of this 
message is not the intended recipient, or an employee or agent responsible 
for delivering this message to the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this 
communication in error, please notify us immediately by replying to the 
message and deleting it from your computer.  Thank you.
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions