[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
James C. Slora, Jr.
Jim.Slora at phra.com
Sat Jul 6 00:04:24 GMT 2002
>Do you have any packet details on the 1524 packets?
18.104.22.168:1524 -> myhost:1524 TCP TTL:112 TOS:0x0 ID:60432 IpLen:20
******S* Seq: 0x2fcd8976 Ack: 0x45cfa683 Win: 0x6ab1 TcpLen: 20
22.214.171.124:1524 -> myhost:1524 TCP TTL:122 TOS:0x0 ID:60895 IpLen:20
******S* Seq: 0x058991f5 Ack: 0x23a714b6 Win: 0x9536 TcpLen: 20
126.96.36.199:1524 -> myhost:1524 TCP TTL:117 TOS:0x0 ID:828 IpLen:20
******S* Seq: 0x5eacb1fd Ack: 0x59e9d1ba Win: 0x8291 TcpLen: 20
- Look at the TTL jump on the 194... host! I doubt it's just due to traffic
- Interesting ID on 216... host
- Interesting TCP Win on all of them - why the variation on 194... windows?
- Odd that the ID changed by just 463 in a week on 194...
- No IP options set on any of these
The packets look manufactured. Maybe spoofed, maybe not - your thoughts?
>Interesting so visit this site to be probed for trinoo?
>Got a link?
On second look, the site I thought was the trigger (www.umpires.com) doesn't
fit because the web visits occurred a little after the probes (but were
user-initiated). Still - either I'm tripping a trigger or my host made
someone's probe list months ago. It's the only host being probed.
I thought maybe the probing address was being spoofed because of the TTL
change, until I looked at one of the apparent probers. Check out the headers
of the home page for the default web on 188.8.131.52:
HTTP/1.1 302 Found
Date: Fri, 05 Jul 2002 21:46:01 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.3pl1
Status: 302 Moved Temporarily
Set-Cookie: HordeSession=9_b11b2ee7ee07fc452be9735679f5987e; path=/
The redirect goes to more dynamic HordeSession pages that all either
redirect again or load other dynamic session pages through framesets. I have
not taken the cookie, but I've followed the redirects through several more
dynamic pages and framesets until they begin looping back on themselves. I
haven't figured out how to learn anything useful from Horde pages in a
web-safe browser. Any tips?
Clueless as usual
More information about the list