[Dshield] odd scan any ideas?

Joe Stewart jstewart at lurhq.com
Fri Jun 20 13:11:51 GMT 2003


On Friday 20 June 2003 02:11 am, Korhonen Juuso wrote:
> What about this:
>
> "The Trojan scans random ports on random machines, each time sending an
> initial SYN packet. One of the few identifiable characteristics of the
> program is a window size of 55808 on each of the packets it transmits.
>
> ******It also spoofs the originating IP address on all of the packets,
> making them look as if they're coming from machines in unallocated name
> space.***** "

That's not it. He was describing port 137 udp traffic on the outside of his
firewall, from a link-local address to the link-local broadcast. 

Mark, if you're sure that's the external interface then check to make sure
someone hasn't plugged in a host into your external switch/hub. If not,
then check with your ISP; it seems they are passing broadcast traffic from 
some other subnet(s) they control to your router (which is also misconfigured 
to pass broadcasts). This kind of misconfiguration is seen sometimes, and you 
can usually just ignore it unless you have metered bandwidth and want to 
make sure all traffic you see is really yours.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


> -----Original Message-----
> From: Mark Warner [mailto:warner at neb.com]
> Sent: 19. kesäkuuta 2003 23:03
> To: General DShield Discussion List
> Subject: RE: [Dshield] odd scan any ideas?
>
>
> the log was generated by my firewall (Gauntlet 6.0) and i would say the
> same but the < if=eri1 >shows that it is outside the wall.  That is my
> confusion.
>
> At 08:20 AM 6/19/2003 -0700, you wrote:
> >looks like a microsoft machine which couldn't reach a DHCP server,
> >looking for other machines.  when windows boxes aren't statically
> >configured and don't have a DHCP server, they default to grabbing a
> >random ip form the 169.254.x.y subnet with a mask of 255.255.0.0.
> >
> >this looks like a broadcast to that subnet in an effort to find other
> >machines.
> >
> >where was this log?  what gathered this info?
> >
> >-d
> >
> > > -----Original Message-----
> > > From: Mark Warner [mailto:warner at neb.com]
> > > Sent: June 19, 2003 7:36 AM
> > > To: 'General DShield Discussion List'
> > > Subject: [Dshield] odd scan any ideas?
> > >
> > >
> > > My logs have shown this for a few days now...
> > > Any ideas as to how or what?
> > >
> > > Jun 18 11:23:54 seq.neb.com gfw: [ID 702911 kern.info]
> > > securityalert: udp
> > > if=eri1 from 169.254.35.111:52429 to 169.254.255.255 on unserved
> > > port 137 Mark
> > > Mark Warner
> > > TelCom/Network Manager
> > > New England BioLabs Inc.
> > > 32 Tozer Rd
> > > Beverly MA
> > > 01915
> > > 978.927.5054 Ext. 407 Office
> > > 978.921.1350 Fax
> > > warner at neb.com




More information about the list mailing list