[Intrusions] A scan I've never seen before...
ocelot
ocelot at adelphia.net
Thu Jul 7 18:22:07 GMT 2005
Michael; the IPv6 hop/I was hit, knocked offline today,this AM.while just
sitting in one of the Christian chats; I get alot of hits in all yahoo
Christian Chats.But this one you speak of yesterday I saw such a name
but,it was=IPv6=nothing else.hope it helps sum; ed
----- Original Message -----
From: "Michael Cloppert" <mike.cloppert at gmail.com>
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Cc: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Wednesday, July 06, 2005 4:45 PM
Subject: Re: [Intrusions] A scan I've never seen before...
>I thought on this for a bit, and couldn't come up with anything
> conclusive. Some thoughts I had, that may or may not help guide your
> investigation:
>
> It's interesting that the protocol field is 0. To my knowledge, this
> isn't any "normal" IP protocol type. You may want to check the
> Ethernet header to see if the 16-bit Type is specified as IPv6.
> Notice how the IP version field is 4 in the IP header -- this doesn't
> jive with the "IPv6 hop-by-hop option (0x00)".
>
> Could this be an O/S fingerprint attempt by fiddling with options?
>
> If you find out what caused this, please let us know. Now you've got
> me curious as well.
>
> Regards,
> Michael Cloppert
>
> On 7/6/05, Jeff Kell <jeff-kell at utc.edu> wrote:
>> I just discovered a scan of a chunk (a /19 worth) of our address space
>> with something I've never seen before. Any hints would be appreciated.
>>
>> The scans were blocked by an ingress filter, but with an unusual,
>> out-of-place log message (Cisco):
>>
>> > Jul 6 15:00:27.814 EDT: %SEC-6-IPACCESSLOGS: list ingress denied
>> > 111.222.191.132 1 packet
>> > Jul 6 15:00:28.994 EDT: %SEC-6-IPACCESSLOGS: list ingress denied
>> > 111.222.191.137 1 packet [...]
>>
>> Normally I would expect a "list ingress denied [tcp|udp|protocol#]
>> source(port) -> dest(port)" type message, but this only listed the
>> destination address and no clue what was hitting it. I cobbled together
>> a pcap for later analysis (I can send to anyone who needs further
>> information to decrypt). A quick look with ethereal shows:
>>
>> A source in Venezuela...
>>
>> Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".
>>
>> Tcpdump of a couple (obfuscated destination addresses):
>>
>> > 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none],
>> > proto 0, length: 68) 150.187.9.11 > 111.222.182.180: ip 48
>> > 0x0000: 4500 0044 fabc 0000 7600 5ccc 96bb 090b
>> > E..D....v.\.....
>> > 0x0010: 1122 b6b4 4500 2d00 0000 0000 8006 0000
>> > ....E.-.........
>> > 0x0020: 0000 0000 96b6 b6b4 05e4 01bd 0100 0000
>> > ................
>> > 0x0030: 0000 0000 7002 faf0 3223 0000 0204 05b4
>> > ....p...2#......
>> > 0x0040: 0101 0402 ....
>> > 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none],
>> > proto 0, length: 68) 150.187.9.11 > 111.222.182.181: ip 48
>> > 0x0000: 4500 0044 fbbc 0000 7600 5bcb 96bb 090b
>> > E..D....v.[.....
>> > 0x0010: 1122 b6b5 4500 2d00 0000 0000 8006 0000
>> > ....E.-.........
>> > 0x0020: 0000 0000 96b6 b6b5 05e4 008b 0100 0000
>> > ................
>> > 0x0030: 0000 0000 7002 faf0 3354 0000 0204 05b4
>> > ....p...3T......
>> > 0x0040: 0101 0402 ....
>>
>> Clues? New script kiddie?
>>
>> Jeff
>>
>> _______________________________________________
>> Intrusions mailing list
>> Intrusions at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/intrusions
>>
>
>
> --
> ========================
> Michael Cloppert
>
> off-list email: mike at cloppert.org
> http://www.cloppert.org
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list