[Dshield] TCP:11117 - ACID Incident Report, p0f

John Sage jsage at finchhaven.com
Thu Nov 21 07:21:44 GMT 2002


Odd..

snort 1.8.7 into ACID, followed by p0f's OS interpretation

----- Forwarded message from ACID Alert <acid at finchhaven.com> -----

Date: Wed, 20 Nov 2002 23:07:00 -0800
From: ACID Alert <acid at finchhaven.com>
Generated by ACID v0.9.6b21 on Wed November 20, 2002 23:07:00

------------------------------------------------------------------------------
#(525 - 18) [2002-11-20 06:12:54]  TCP inbound to range 1025-60999
IPv4: 131.123.87.49 -> 12.82.128.253
      hlen=5 TOS=128 dlen=48 ID=31535 flags=0 offset=0 TTL=113 chksum=9757
TCP:  port=2186 -> dport: 11117  flags=******S* seq=985590822
      ack=0 off=7 res=0 win=64240 urp=0 chksum=50518
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 19) [2002-11-20 06:12:57]  TCP inbound to range 1025-60999
IPv4: 131.123.87.49 -> 12.82.128.253
      hlen=5 TOS=128 dlen=48 ID=31569 flags=0 offset=0 TTL=113 chksum=9723
TCP:  port=2186 -> dport: 11117  flags=******S* seq=985590822
      ack=0 off=7 res=0 win=64240 urp=0 chksum=50518
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 20) [2002-11-20 06:13:02]  TCP inbound to range 1025-60999
IPv4: 131.123.87.49 -> 12.82.128.253
      hlen=5 TOS=128 dlen=48 ID=31625 flags=0 offset=0 TTL=113 chksum=9667
TCP:  port=2186 -> dport: 11117  flags=******S* seq=985590822
      ack=0 off=7 res=0 win=64240 urp=0 chksum=50518
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------

<Wed Nov 20 06:12:54 2002> 131.123.87.49 [16 hops]: Windows XP Pro, Windows 2000 Pro
 131.123.87.49:2186 -> 12.82.128.253:11117 (timestamp: 34003056 @1037801574)
<Wed Nov 20 06:12:57 2002> 131.123.87.49 [16 hops]: Windows XP Pro, Windows 2000 Pro
 131.123.87.49:2186 -> 12.82.128.253:11117 (timestamp: 34003056 @1037801577)
<Wed Nov 20 06:13:03 2002> 131.123.87.49 [16 hops]: Windows XP Pro, Windows 2000 Pro
 131.123.87.49:2186 -> 12.82.128.253:11117 (timestamp: 34003056 @1037801583)


------------------------------------------------------------------------------
#(525 - 202) [2002-11-20 09:50:52]  TCP inbound to range 1025-60999
IPv4: 65.119.62.2 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=25627 flags=0 offset=0 TTL=114 chksum=38884
TCP:  port=61999 -> dport: 11117  flags=******S* seq=3426313492
      ack=0 off=7 res=0 win=64240 urp=0 chksum=11387
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 203) [2002-11-20 09:50:55]  TCP inbound to range 1025-60999
IPv4: 65.119.62.2 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=25650 flags=0 offset=0 TTL=114 chksum=38861
TCP:  port=61999 -> dport: 11117  flags=******S* seq=3426313492
      ack=0 off=7 res=0 win=64240 urp=0 chksum=11387
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------

<Wed Nov 20 09:50:52 2002> 65.119.62.2 [15 hops]: Windows XP Pro, Windows 2000 Pro
 65.119.62.2:61999 -> 12.82.128.253:11117 (timestamp: 35309278 @1037814652)
<Wed Nov 20 09:50:55 2002> 65.119.62.2 [15 hops]: Windows XP Pro, Windows 2000 Pro
 65.119.62.2:61999 -> 12.82.128.253:11117 (timestamp: 35309278 @1037814655)


------------------------------------------------------------------------------
#(525 - 224) [2002-11-20 10:05:01]  TCP inbound to range 1025-60999
IPv4: 65.93.23.87 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=14083 flags=0 offset=0 TTL=109 chksum=61633
TCP:  port=3954 -> dport: 11117  flags=******S* seq=611305753
      ack=0 off=7 res=0 win=16384 urp=0 chksum=13592
      Options:
       #1 - MSS len=4 data=0550
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 225) [2002-11-20 10:05:04]  TCP inbound to range 1025-60999
IPv4: 65.93.23.87 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=14123 flags=0 offset=0 TTL=109 chksum=61593
TCP:  port=3954 -> dport: 11117  flags=******S* seq=611305753
      ack=0 off=7 res=0 win=16384 urp=0 chksum=13592
      Options:
       #1 - MSS len=4 data=0550
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 226) [2002-11-20 10:05:10]  TCP inbound to range 1025-60999
IPv4: 65.93.23.87 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=14218 flags=0 offset=0 TTL=109 chksum=61498
TCP:  port=3954 -> dport: 11117  flags=******S* seq=611305753
      ack=0 off=7 res=0 win=16384 urp=65512 chksum=13615
      Options:
       #1 - MSS len=4 data=0550
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------

<Wed Nov 20 10:05:01 2002> 65.93.23.87 [20 hops]: Windows 2000 (9)
 65.93.23.87:3954 -> 12.82.128.253:11117 (timestamp: 35401564 @1037815501)
<Wed Nov 20 10:05:04 2002> 65.93.23.87 [20 hops]: Windows 2000 (9)
 65.93.23.87:3954 -> 12.82.128.253:11117 (timestamp: 35401564 @1037815504)
<Wed Nov 20 10:05:10 2002> 65.93.23.87 [20 hops]: Windows 2000 (9)
 65.93.23.87:3954 -> 12.82.128.253:11117 (timestamp: 35401564 @1037815510)



------------------------------------------------------------------------------
#(525 - 353) [2002-11-20 13:02:24]  TCP inbound to range 1025-60999
IPv4: 216.125.124.122 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=22718 flags=0 offset=0 TTL=116 chksum=52162
TCP:  port=4226 -> dport: 11117  flags=******S* seq=1381336220
      ack=0 off=7 res=0 win=16384 urp=0 chksum=20039
      Options:
       #1 - MSS len=4 data=0564
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 354) [2002-11-20 13:02:27]  TCP inbound to range 1025-60999
IPv4: 216.125.124.122 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=22729 flags=0 offset=0 TTL=116 chksum=52151
TCP:  port=4226 -> dport: 11117  flags=******S* seq=1381336220
      ack=0 off=7 res=0 win=16384 urp=0 chksum=20039
      Options:
       #1 - MSS len=4 data=0564
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 355) [2002-11-20 13:02:33]  TCP inbound to range 1025-60999
IPv4: 216.125.124.122 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=22764 flags=0 offset=0 TTL=116 chksum=52116
TCP:  port=4226 -> dport: 11117  flags=******S* seq=1381336220
      ack=0 off=7 res=0 win=16384 urp=0 chksum=20039
      Options:
       #1 - MSS len=4 data=0564
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------

<Wed Nov 20 13:02:24 2002> 216.125.124.122 [13 hops]: Windows 2000 (9)
 216.125.124.122:4226 -> 12.82.128.253:11117 (timestamp: 36460305 @1037826144)
<Wed Nov 20 13:02:27 2002> 216.125.124.122 [13 hops]: Windows 2000 (9)
 216.125.124.122:4226 -> 12.82.128.253:11117 (timestamp: 36460305 @1037826147)
<Wed Nov 20 13:02:33 2002> 216.125.124.122 [13 hops]: Windows 2000 (9)
 216.125.124.122:4226 -> 12.82.128.253:11117 (timestamp: 36460305 @1037826153)


------------------------------------------------------------------------------
#(525 - 395) [2002-11-20 13:20:49]  TCP inbound to range 1025-60999
IPv4: 199.106.86.2 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=21664 flags=0 offset=0 TTL=116 chksum=1900
TCP:  port=50812 -> dport: 11117  flags=******S* seq=2583207837
      ack=0 off=7 res=0 win=16384 urp=0 chksum=27875
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 396) [2002-11-20 13:20:52]  TCP inbound to range 1025-60999
IPv4: 199.106.86.2 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=21689 flags=0 offset=0 TTL=116 chksum=1875
TCP:  port=50812 -> dport: 11117  flags=******S* seq=2583207837
      ack=0 off=7 res=0 win=16384 urp=0 chksum=27875
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(525 - 397) [2002-11-20 13:20:58]  TCP inbound to range 1025-60999
IPv4: 199.106.86.2 -> 12.82.128.253
      hlen=5 TOS=0 dlen=48 ID=21745 flags=0 offset=0 TTL=116 chksum=1819
TCP:  port=50812 -> dport: 11117  flags=******S* seq=2583207837
      ack=0 off=7 res=0 win=16384 urp=0 chksum=27875
      Options:
       #1 - MSS len=4 data=05B4
       #2 - NOP len=0
       #3 - NOP len=0
       #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------

<Wed Nov 20 13:20:49 2002> 199.106.86.2 [13 hops]: Windows 2000 (9)
 199.106.86.2:50812 -> 12.82.128.253:11117 (timestamp: 36583468 @1037827249)
<Wed Nov 20 13:20:52 2002> 199.106.86.2 [13 hops]: Windows 2000 (9)
 199.106.86.2:50812 -> 12.82.128.253:11117 (timestamp: 36583468 @1037827252)
<Wed Nov 20 13:20:58 2002> 199.106.86.2 [13 hops]: Windows 2000 (9)
 199.106.86.2:50812 -> 12.82.128.253:11117 (timestamp: 36583468 @1037827258)



----- End forwarded message -----



- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list