[Intrusions] A scan I've never seen before...

ocelot ocelot at adelphia.net
Thu Jul 7 18:22:07 GMT 2005


Michael; the IPv6 hop/I was hit, knocked offline today,this AM.while just 
sitting in one of the Christian chats; I get alot of hits in all yahoo 
Christian Chats.But this one you speak of  yesterday I saw such a name 
but,it was=IPv6=nothing else.hope it helps sum;  ed


----- Original Message ----- 
From: "Michael Cloppert" <mike.cloppert at gmail.com>
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Cc: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Wednesday, July 06, 2005 4:45 PM
Subject: Re: [Intrusions] A scan I've never seen before...


>I thought on this for a bit, and couldn't come up with anything
> conclusive.  Some thoughts I had, that may or may not help guide your
> investigation:
>
> It's interesting that the protocol field is 0.  To my knowledge, this
> isn't any "normal" IP protocol type.  You may want to check the
> Ethernet header to see if the 16-bit Type is specified as IPv6.
> Notice how the IP version field is 4 in the IP header -- this doesn't
> jive with the "IPv6 hop-by-hop option (0x00)".
>
> Could this be an O/S fingerprint attempt by fiddling with options?
>
> If you find out what caused this, please let us know.  Now you've got
> me curious as well.
>
> Regards,
> Michael Cloppert
>
> On 7/6/05, Jeff Kell <jeff-kell at utc.edu> wrote:
>> I just discovered a scan of a chunk (a /19 worth) of our address space 
>> with something I've never seen before.  Any hints would be appreciated.
>>
>> The scans were blocked by an ingress filter, but with an unusual, 
>> out-of-place log message (Cisco):
>>
>> > Jul  6 15:00:27.814 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 
>> > 111.222.191.132 1 packet
>> > Jul  6 15:00:28.994 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 
>> > 111.222.191.137 1 packet  [...]
>>
>> Normally I would expect a "list ingress denied [tcp|udp|protocol#] 
>> source(port) -> dest(port)" type message, but this only listed the 
>> destination address and no clue what was hitting it.  I cobbled together 
>> a pcap for later analysis (I can send to anyone who needs further 
>> information to decrypt).  A quick look with ethereal shows:
>>
>> A source in Venezuela...
>>
>> Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".
>>
>> Tcpdump of a couple (obfuscated destination addresses):
>>
>> > 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none], 
>> > proto 0, length: 68) 150.187.9.11 > 111.222.182.180:  ip 48
>> >         0x0000:  4500 0044 fabc 0000 7600 5ccc 96bb 090b 
>> > E..D....v.\.....
>> >         0x0010:  1122 b6b4 4500 2d00 0000 0000 8006 0000 
>> > ....E.-.........
>> >         0x0020:  0000 0000 96b6 b6b4 05e4 01bd 0100 0000 
>> > ................
>> >         0x0030:  0000 0000 7002 faf0 3223 0000 0204 05b4 
>> > ....p...2#......
>> >         0x0040:  0101 0402                                ....
>> > 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none], 
>> > proto 0, length: 68) 150.187.9.11 > 111.222.182.181:  ip 48
>> >         0x0000:  4500 0044 fbbc 0000 7600 5bcb 96bb 090b 
>> > E..D....v.[.....
>> >         0x0010:  1122 b6b5 4500 2d00 0000 0000 8006 0000 
>> > ....E.-.........
>> >         0x0020:  0000 0000 96b6 b6b5 05e4 008b 0100 0000 
>> > ................
>> >         0x0030:  0000 0000 7002 faf0 3354 0000 0204 05b4 
>> > ....p...3T......
>> >         0x0040:  0101 0402                                ....
>>
>> Clues?  New script kiddie?
>>
>> Jeff
>>
>> _______________________________________________
>> Intrusions mailing list
>> Intrusions at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/intrusions
>>
>
>
> -- 
> ========================
> Michael Cloppert
>
> off-list email: mike at cloppert.org
> http://www.cloppert.org
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions 




More information about the Intrusions mailing list