[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report

Smith, Donald Donald.Smith at qwest.com
Sat Jul 6 19:46:26 GMT 2002


Looks like synscan1.9 or so 
(some versions of t0rnScan was based on synscan1.9).

iplen=20;dgmlen=40; fromport=sourceport; SYN packets.
Thats a good match for synscan in general except 1.5/1.6 which used
SYNFIN packets.

If you get some of these together within one second
we can see if the "random" header fields change after a second.
(seq,ack,id,ttl?)
This tool definitely crafts the ttl "randomly"?

I changed the packets you sent me to hide your destination address.
I decode the first then just the ttl out of the rest.
It appears to range around 128.

Thanks.
> -----Original Message-----
> From: Maynard [mailto:bunker at howlingale.org]
> Sent: Friday, July 05, 2002 4:37 PM
> To: Smith, Donald 
> Subject: RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
> 
> 
> On Fri, 5 Jul 2002 09:27:40 -0600, Smith, Donald  wrote:
> 
> >Do you have any packet details on the 1524 packets?
> 
> I'm not the person from whom you requested this information, 
> but here's what I have on my dialup connection starting 
> 2002/04/26;  times CDT:
> 
> 
> [2002/06/24][21:24:45][Incoming][SRC:194.148.017.027][S-PORT:i
> ngreslock (1524)][D-PORT:ingreslock (1524)]
> [2002/07/01][15:16:18][Incoming][SRC:194.148.017.027][S-PORT:i
> ngreslock (1524)][D-PORT:ingreslock (1524)]
> [2002/07/01][21:23:49][Incoming][SRC:212.249.007.012][S-PORT:i
> ngreslock (1524)][D-PORT:ingreslock (1524)]
> [2002/07/02][20:00:12][Incoming][SRC:194.148.017.027][S-PORT:i
> ngreslock (1524)][D-PORT:ingreslock (1524)]
> 
> their respective packets:
> 
>     0000:  45000028D4830000 - 
Tcpversion =4; IHL=20 ; len = 40; id=54403; flags=0; fragoff=0  
>		7206B71AC294111B
ttl=114;protocol=6;chksum= B71A;srcaddr=194.148.17.27
>     0010:  AAAAAAAA05F405F4 -   
dstaddr=255.255.255.255;srcport=1524;destport=1524;
>		35381B136D941F8C
seq=56105747;ack=114892684     
>     0020:  5002E50F244D0000 
Flags=SYN                                
> 

>     0000:  450000281CDF0000 - 77066A02C294111B  E..(....w.j..... 
						ttl=119     
>     0010:  AAAAAAAA05F405F4 - 7D8C1AAF7973895C  B..=....}...ys.\
						ttl=125      
>     0020:  5002040747F90000                     P...G...              
> 
>     0000:  4500002858260000 - 6B06C0A7C294111B  E..(X&..k....... 
					ttl=107
>     0010:  AAAAAAAA05F405F4 - 09D17A574E0BB7EE  @.".......zWN... 
>     0020:  50026CC9760C0000                     P.l.v...         
> 
>     0000:  45000028A7A30000 - 7306DAE7D4F9070C  E..(....s.......
					ttl=115 
>     0010:  AAAAAAAA05F405F4 - 15F2B06B6D4D21A3  B..=.......kmM!. 
>     0020:  5002EDA39BC30000                     P.......         
> 
> 
> 




More information about the list mailing list