[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report

Smith, Donald Donald.Smith at qwest.com
Sat Jul 6 15:21:53 GMT 2002

Well as soon as I see a fromport = destport, I start 
suspecting synscan or one of the variants.
Add the ack value being set on an initial syn and
I would say we have a match. It looks like synscan 1.9++.

> -----Original Message-----
> From: James C. Slora, Jr. [mailto:Jim.Slora at phra.com]
> Sent: Friday, July 05, 2002 6:04 PM
> To: Smith, Donald ; John Sage; list at dshield.org;
> intrusions at incidents.org
> Subject: RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
> >Do you have any packet details on the 1524 packets?
> 06/25/02-08:50:20.204635
> -> myhost:1524 TCP TTL:112 TOS:0x0 
> ID:60432 IpLen:20
> DgmLen:40
> ******S* Seq: 0x2fcd8976  Ack: 0x45cfa683  Win: 0x6ab1  TcpLen: 20
TTL probably started at 128. If you could run a traceroute and 
check hop count to these systems.
> 07/02/02-02:46:44.910763
> -> myhost:1524 TCP TTL:122 TOS:0x0 
> ID:60895 IpLen:20
> DgmLen:40
> ******S* Seq: 0x058991f5  Ack: 0x23a714b6  Win: 0x9536  TcpLen: 20
> 07/02/02-18:41:57.075243
> -> myhost:1524 TCP TTL:117 TOS:0x0 ID:828 IpLen:20
> DgmLen:40
> ******S* Seq: 0x5eacb1fd  Ack: 0x59e9d1ba  Win: 0x8291  TcpLen: 20
> - Look at the TTL jump on the 194... host! I doubt it's just 
> due to traffic
> conditions.
Well traffic conditions could account for this but I agree its doubtful.
Later versions of synscan "randomized" the from ttl but that was based on 
the largest ttl being 255 and smallest 200. 
Because of the way the author did the randomizing the ttl often jumped or
by 10!!

> - Interesting ID on 216... host
I think it's supposed to be random. But the author feeds the srand with
so for a second the id and other "randomized" fields should stay the same.

> - Interesting TCP Win on all of them - why the variation on 
> 194... windows?
I suspect randomized also however I haven't seen a copy of 
synscan that randomized the window before. 
> - Odd that the ID changed by just 463 in a week on 194...
> - No IP options set on any of these
> The packets look manufactured. Maybe spoofed, maybe not - 
> your thoughts?
Crafted YES, Spoofed doubtful, given that they are really trying to 
find hosts with 1524 open they would want your syn/ack to get back to them.
> >Interesting so visit this site to be probed for trinoo?
> >Got a link?
> On second look, the site I thought was the trigger 
(www.umpires.com) doesn't
fit because the web visits occurred a little after the probes (but were
user-initiated). Still - either I'm tripping a trigger or my host made
someone's probe list months ago. It's the only host being probed.

I thought maybe the probing address was being spoofed because of the TTL
change, until I looked at one of the apparent probers. Check out the headers
of the home page for the default web on

HTTP/1.1 302 Found
Date: Fri, 05 Jul 2002 21:46:01 GMT
Server: Apache/1.3.14 (Unix) PHP/4.0.3pl1
X-Powered-By: PHP/4.0.3pl1
Status: 302 Moved Temporarily
Set-Cookie: HordeSession=9_b11b2ee7ee07fc452be9735679f5987e; path=/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

The redirect goes to more dynamic HordeSession pages that all either
redirect again or load other dynamic session pages through framesets. I have
not taken the cookie, but I've followed the redirects through several more
dynamic pages and framesets until they begin looping back on themselves. I
haven't figured out how to learn anything useful from Horde pages in a
web-safe browser. Any tips?

Clueless as usual

More information about the list mailing list