[Dshield] Strange stuff

Kenneth Williams ken at kwilliams.org
Wed Mar 13 00:34:00 GMT 2002


For the last week or so my Apache Web server has been regularly probed by a
handful of addresses.
Each probe occurs on about 1 minute intervals and I believe the probes to be
identical. They are not
of the variety which my snort IDS detects as malicious however they all
appear to be directed at
port 80 with the SYN bit set. I have blocked them and have taken sample
dumps of the packets but
am unable to determine the intent.This is what I observe.
First the packet from a dump file (tcpdump)

15:58:31.918733 0:10:67:0:f1:f8 0:c0:f0:48:1c:9e ip 60:
www.cc.rapidsite.net.496
29 > mail.kwilliams.org.www: S [tcp sum ok] 3965648896:3965648896(0) win
65535 [
tos 0x8]  (ttl 242, id 49168, len 40)
0x0000   4508 0028 c010 0000 f206 7bcd 8367 f877        E..(......{..g.w
0x0010   40ad d05d c1dd 0050 ec5f 0000 0000 0000        @..]...P._......
0x0020   5002 ffff 746b 0000 0000 0000 0000             P...tk........

While this is unblocked these sites appear to tie up my apache daemon with
attachments
to the server doing nothing netstat shows them with a connection in
SYNC_RECV state.

Once blocked with ipchains I see
Mar 12 15:55:40 mail kernel: Packet log: input DENY eth0 PROTO=6
209.130.30.130:
49844 64.173.208.93:80 L=40 S=0x08 I=43872 F=0x0000 T=239 SYN (#2)
Mar 12 15:56:05 mail kernel: Packet log: input DENY eth0 PROTO=6
131.103.248.119
:55178 64.173.208.93:80 L=40 S=0x08 I=9743 F=0x0000 T=242 SYN (#4)
Mar 12 15:56:38 mail kernel: Packet log: input DENY eth0 PROTO=6
209.130.30.130:
17997 64.173.208.93:80 L=40 S=0x08 I=48844 F=0x0000 T=239 SYN (#2)
Mar 12 15:56:46 mail kernel: Packet log: input DENY eth0 PROTO=6
204.0.52.162:35
027 64.173.208.93:80 L=40 S=0x08 I=50088 F=0x0000 T=114 SYN (#3)
Mar 12 15:56:54 mail kernel: Packet log: input DENY eth0 PROTO=6
131.103.248.119
:53535 64.173.208.93:80 L=40 S=0x08 I=5829 F=0x0000 T=242 SYN (#4)
Mar 12 15:57:36 mail kernel: Packet log: input DENY eth0 PROTO=6
209.130.30.130:
27847 64.173.208.93:80 L=40 S=0x08 I=39494 F=0x0000 T=239 SYN (#2)

interesting thing is they are all from locations I don't recognize and all
of a lenght 40.

Am I missing the obvious or does somebody have the clue I obviously don't
???

Ken Williams
ken at kwilliams.org




More information about the list mailing list