[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
Donald.Smith at qwest.com
Sat Jul 6 15:21:53 GMT 2002
Well as soon as I see a fromport = destport, I start
suspecting synscan or one of the variants.
Add the ack value being set on an initial syn and
I would say we have a match. It looks like synscan 1.9++.
> -----Original Message-----
> From: James C. Slora, Jr. [mailto:Jim.Slora at phra.com]
> Sent: Friday, July 05, 2002 6:04 PM
> To: Smith, Donald ; John Sage; list at dshield.org;
> intrusions at incidents.org
> Subject: RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
> >Do you have any packet details on the 1524 packets?
> 22.214.171.124:1524 -> myhost:1524 TCP TTL:112 TOS:0x0
> ID:60432 IpLen:20
> ******S* Seq: 0x2fcd8976 Ack: 0x45cfa683 Win: 0x6ab1 TcpLen: 20
TTL probably started at 128. If you could run a traceroute and
check hop count to these systems.
> 126.96.36.199:1524 -> myhost:1524 TCP TTL:122 TOS:0x0
> ID:60895 IpLen:20
> ******S* Seq: 0x058991f5 Ack: 0x23a714b6 Win: 0x9536 TcpLen: 20
> 188.8.131.52:1524 -> myhost:1524 TCP TTL:117 TOS:0x0 ID:828 IpLen:20
> ******S* Seq: 0x5eacb1fd Ack: 0x59e9d1ba Win: 0x8291 TcpLen: 20
> - Look at the TTL jump on the 194... host! I doubt it's just
> due to traffic
Well traffic conditions could account for this but I agree its doubtful.
Later versions of synscan "randomized" the from ttl but that was based on
the largest ttl being 255 and smallest 200.
Because of the way the author did the randomizing the ttl often jumped or
> - Interesting ID on 216... host
I think it's supposed to be random. But the author feeds the srand with
so for a second the id and other "randomized" fields should stay the same.
> - Interesting TCP Win on all of them - why the variation on
> 194... windows?
I suspect randomized also however I haven't seen a copy of
synscan that randomized the window before.
> - Odd that the ID changed by just 463 in a week on 194...
> - No IP options set on any of these
> The packets look manufactured. Maybe spoofed, maybe not -
> your thoughts?
Crafted YES, Spoofed doubtful, given that they are really trying to
find hosts with 1524 open they would want your syn/ack to get back to them.
> >Interesting so visit this site to be probed for trinoo?
> >Got a link?
> On second look, the site I thought was the trigger
fit because the web visits occurred a little after the probes (but were
user-initiated). Still - either I'm tripping a trigger or my host made
someone's probe list months ago. It's the only host being probed.
I thought maybe the probing address was being spoofed because of the TTL
change, until I looked at one of the apparent probers. Check out the headers
of the home page for the default web on 184.108.40.206:
HTTP/1.1 302 Found
Date: Fri, 05 Jul 2002 21:46:01 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.3pl1
Status: 302 Moved Temporarily
Set-Cookie: HordeSession=9_b11b2ee7ee07fc452be9735679f5987e; path=/
The redirect goes to more dynamic HordeSession pages that all either
redirect again or load other dynamic session pages through framesets. I have
not taken the cookie, but I've followed the redirects through several more
dynamic pages and framesets until they begin looping back on themselves. I
haven't figured out how to learn anything useful from Horde pages in a
web-safe browser. Any tips?
Clueless as usual
More information about the list