[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report

James C. Slora, Jr. Jim.Slora at phra.com
Sat Jul 6 00:04:24 GMT 2002


>Do you have any packet details on the 1524 packets?

06/25/02-08:50:20.204635
194.148.17.27:1524 -> myhost:1524 TCP TTL:112 TOS:0x0 ID:60432 IpLen:20
DgmLen:40
******S* Seq: 0x2fcd8976  Ack: 0x45cfa683  Win: 0x6ab1  TcpLen: 20

07/02/02-02:46:44.910763
194.148.17.27:1524 -> myhost:1524 TCP TTL:122 TOS:0x0 ID:60895 IpLen:20
DgmLen:40
******S* Seq: 0x058991f5  Ack: 0x23a714b6  Win: 0x9536  TcpLen: 20

07/02/02-18:41:57.075243
216.228.97.135:1524 -> myhost:1524 TCP TTL:117 TOS:0x0 ID:828 IpLen:20
DgmLen:40
******S* Seq: 0x5eacb1fd  Ack: 0x59e9d1ba  Win: 0x8291  TcpLen: 20

- Look at the TTL jump on the 194... host! I doubt it's just due to traffic
conditions.
- Interesting ID on 216... host
- Interesting TCP Win on all of them - why the variation on 194... windows?
- Odd that the ID changed by just 463 in a week on 194...
- No IP options set on any of these

The packets look manufactured. Maybe spoofed, maybe not - your thoughts?

>Interesting so visit this site to be probed for trinoo?
>Got a link?

On second look, the site I thought was the trigger (www.umpires.com) doesn't
fit because the web visits occurred a little after the probes (but were
user-initiated). Still - either I'm tripping a trigger or my host made
someone's probe list months ago. It's the only host being probed.

I thought maybe the probing address was being spoofed because of the TTL
change, until I looked at one of the apparent probers. Check out the headers
of the home page for the default web on 194.148.17.27:

HTTP/1.1 302 Found
Date: Fri, 05 Jul 2002 21:46:01 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.3pl1
X-Powered-By: PHP/4.0.3pl1
Status: 302 Moved Temporarily
Set-Cookie: HordeSession=9_b11b2ee7ee07fc452be9735679f5987e; path=/
Location:
http://194.148.17.27/index.php3?HordeSession=9_b11b2ee7ee07fc452be9735679f59
87e
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

The redirect goes to more dynamic HordeSession pages that all either
redirect again or load other dynamic session pages through framesets. I have
not taken the cookie, but I've followed the redirects through several more
dynamic pages and framesets until they begin looping back on themselves. I
haven't figured out how to learn anything useful from Horde pages in a
web-safe browser. Any tips?

Jim
Clueless as usual






More information about the list mailing list