[Intrusions] A scan I've never seen before...
Jeff Kell
jeff-kell at utc.edu
Wed Jul 6 19:43:11 GMT 2005
I just discovered a scan of a chunk (a /19 worth) of our address space with something I've never seen before. Any hints would be appreciated.
The scans were blocked by an ingress filter, but with an unusual, out-of-place log message (Cisco):
> Jul 6 15:00:27.814 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.132 1 packet
> Jul 6 15:00:28.994 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.137 1 packet [...]
Normally I would expect a "list ingress denied [tcp|udp|protocol#] source(port) -> dest(port)" type message, but this only listed the destination address and no clue what was hitting it. I cobbled together a pcap for later analysis (I can send to anyone who needs further information to decrypt). A quick look with ethereal shows:
A source in Venezuela...
Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".
Tcpdump of a couple (obfuscated destination addresses):
> 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.180: ip 48
> 0x0000: 4500 0044 fabc 0000 7600 5ccc 96bb 090b E..D....v.\.....
> 0x0010: 1122 b6b4 4500 2d00 0000 0000 8006 0000 ....E.-.........
> 0x0020: 0000 0000 96b6 b6b4 05e4 01bd 0100 0000 ................
> 0x0030: 0000 0000 7002 faf0 3223 0000 0204 05b4 ....p...2#......
> 0x0040: 0101 0402 ....
> 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.181: ip 48
> 0x0000: 4500 0044 fbbc 0000 7600 5bcb 96bb 090b E..D....v.[.....
> 0x0010: 1122 b6b5 4500 2d00 0000 0000 8006 0000 ....E.-.........
> 0x0020: 0000 0000 96b6 b6b5 05e4 008b 0100 0000 ................
> 0x0030: 0000 0000 7002 faf0 3354 0000 0204 05b4 ....p...3T......
> 0x0040: 0101 0402 ....
Clues? New script kiddie?
Jeff
More information about the Intrusions
mailing list