[Intrusions] 80 to 3669

Gary Hendricks intrusions at project415.org
Wed Jun 23 19:02:48 GMT 2004 

Thanks for the replies,

I am going the route of collecting the actual session data via a custom
snort rule.
For the next bit it will be a case of RTFM to figure it out. :-)

 I think the server is being rather persistant for trying the connection for
almost a month. (Roughly 1000 day..)

For the sake of completeness, here is a couple of lines from the log while I
figure out what snort rule to make.

-Gary

Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=12392 PROTO=TCP SPT=80 DPT=3669 WINDOW=0
RES=0x00 ACK URGP=0
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=12459 DF PROTO=TCP SPT=80 DPT=3669
WINDOW=65535 RES=0x00 ACK URGP=0
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=36864 PROTO=TCP SPT=80 DPT=3666 WINDOW=0
RES=0x00 ACK URGP=0
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=36882 DF PROTO=TCP SPT=80 DPT=3666
WINDOW=58400 RES=0x00 ACK URGP=0


----- Original Message ----- 
From: <bryce_alexander at vanguard.com>
To: <intrusions at lists.sans.org>
Cc: <intrusions at project415.org>
Sent: Wednesday, June 23, 2004 6:32 PM
Subject: Re: [Intrusions] 80 to 3669


> A couple of scenarios come to mind.
>
> Since the IP's resolve to a direct marketing group this is probably some
> kind of spyware to "enhance your shopping experience."
>
> Smoothwall is a stateful firewall that will eventually time out a
> connection for no activity. These could be rejected from a long standing
> session. Unfortunately the firewall logs do not give the flags so we
> cannot tell if these packets are syn or ack.
>
> If it is an ack then it is the remnants of a long standing session that
> the firewall lost track of.
>
> If it is a syn then they are trying to be stealthy with firewalls that are
> not stateful in order to slip past by looking like it is a reply to a port
> 80 session.
>
> The best way to tell is to turn on the Intrusion detection module (Snort
> plug-in) that comes with Smoothwall and make a filter that captures
> everything that involves those two hosts.
>
>
>
>
>
>
> "Butterworth, Jim" <jim.butterworth at guidancesoftware.com>
> Sent by: intrusions-bounces at lists.sans.org
> 06/23/2004 07:09 AM
> Please respond to "Intrusions List \(GCIA Practicals\)"
>
>
>         To:     <intrusions at lists.sans.org>
>         cc:     (bcc: Bryce Alexander/IT/VGI)
>         Subject:        [Intrusions] 80 to 3669
>
>
>
>
>
> Is the payload HTML, or is there evidence that someone is tunneling
> through port 80 with another tool/app?  Is the dst always the same machine
> on your network?
>
> R/Jim.
> GCIA
>
>  -----Original Message-----
> From:            intrusions-request at lists.sans.org
> [mailto:intrusions-request at lists.sans.org]
> Sent:            Wed Jun 23 05:04:44 2004
> To:              intrusions at lists.sans.org
> Subject:                 Intrusions Digest, Vol 3, Issue 25
>
> Send Intrusions mailing list submissions to
>                  intrusions at lists.sans.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>                  http://www.dshield.org/mailman/listinfo/intrusions
> or, via email, send a message with subject or body 'help' to
>                  intrusions-request at lists.sans.org
>
> You can reach the person managing the list at
>                  intrusions-owner at lists.sans.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Intrusions digest..."
>
>
> Today's Topics:
>
>    1. odd probes originating from port 80 to 3669/3666 (Gary Hendricks)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 22 Jun 2004 20:38:51 +0100
> From: "Gary Hendricks" <intrusions at project415.org>
> Subject: [Intrusions] odd probes originating from port 80 to 3669/3666
> To: <intrusions at lists.sans.org>
> Message-ID: <001f01c45890$8cbb5a40$c800a8c0 at stargate>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Chaps and chapettes ;-)
>
> I am at wits end with these and has anyone encountered these as well?
>
> The following extract shows some probes that I am not sure what to make
> of:
> They all originate from the same domain but 2 different hosts.
> Over a 10 day period I got over 11000 of these (see attached text file)
>
> The firewall is Smoothwall 2 express. I rebuilt the machine in case it was
> rootkit'd.
> I also disconnected all machines behind the firewall to ensure it was not
> a
> machine soliciting the attention.
>
> I have edited the excerpt so that it looks neat for the purpose of the
> question.
>
> Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=13987 PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:00:55 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=14051 DF PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=31170 PROTO=TCP SPT=80 DPT=3666
> Jun 22 20:01:24 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=31188 DF PROTO=TCP SPT=80 DPT=3666
> Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=12300 PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:05:40 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=12360 DF PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=34033 PROTO=TCP SPT=80 DPT=3666
> Jun 22 20:06:09 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=34051 DF PROTO=TCP SPT=80 DPT=3666
> Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=12392 PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:10:25 echelon kernel: IN=eth1 SRC=217.20.39.48 DST=MY.NET.91.172
> ID=12459 DF PROTO=TCP SPT=80 DPT=3669
> Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=36864 PROTO=TCP SPT=80 DPT=3666
> Jun 22 20:10:54 echelon kernel: IN=eth1 SRC=217.20.39.46 DST=MY.NET.91.172
> ID=36882 DF PROTO=TCP SPT=80 DPT=3666
>
> %nslookup 217.20.39.46
> Name:    osiris-virtualhosts.ehsbrann.com
> Address:  217.20.39.46
> Aliases:  46.39.20.217.in-addr.arpa
>
> %nslookup 217.20.39.48
> Name:    iris-virtualhosts2.ehsbrann.com
> Address:  217.20.39.48
> Aliases:  48.39.20.217.in-addr.arpa
>
> -Gary
>
> ------------------------------
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
> End of Intrusions Digest, Vol 3, Issue 25
> *****************************************
>
> Note:  The information contained in this message may be privileged and
> confidential and thus protected from disclosure.  If the reader of this
> message is not the intended recipient, or an employee or agent responsible
> for delivering this message to the intended recipient, you are hereby
> notified that any dissemination, distribution or copying of this
> communication is strictly prohibited.  If you have received this
> communication in error, please notify us immediately by replying to the
> message and deleting it from your computer.  Thank you.
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>
>

More information about the Intrusions mailing list