[Dshield] New probe?

John Sage jsage at finchhaven.com
Mon Mar 17 01:52:48 GMT 2003


On Sat, Mar 15, 2003 at 02:24:01PM -0500, Jon R. Kibler wrote:
> We have noticed what appears to be a new probe pattern. The intruder
> hits first port 80 (http), then 57 (what exactly is 57?), then 21
> (ftp), in that order, and there is about 3 seconds between each probe.
> 
> Any idea what this probe is and what it is trying to accomplish?

This is a moderately common probe; I often see it in the form:

hello ping; port 80 http often with a HEAD /; port 57 private terminal
server/FX Tools Vuln scanner; port 21 ftp

viz:

input: snort-0116 at 1814.log
filter: ip and ( src host 80.128.89.252 )
#
I 2003/01/16 19:34:31.967316 80.128.89.252 -> 12.82.141.26 8:0
  03 00 00 98 68 65 6c 6c    6f 20 3f 3f 3f             ....hello ???   
#
T 2003/01/16 19:34:34.277530 80.128.89.252:2761 -> 12.82.141.26:80 [S]
#
T 2003/01/16 19:34:38.467950 80.128.89.252:2761 -> 12.82.141.26:80 [A]
#
T 2003/01/16 19:34:38.477961 80.128.89.252:2761 -> 12.82.141.26:80 [AP]
  48 45 41 44 20 2f 20 48    54 54 50 2f 31 2e 30 0d    HEAD / HTTP/1.0.
  0a 48 6f 73 74 3a 20 31    32 2e 38 32 2e 31 34 31    .Host: 12.82.141
  2e 32 36 0d 0a 0d 0a                                  .26....         
#
T 2003/01/16 19:34:40.348127 80.128.89.252:2761 -> 12.82.141.26:80 [AP]
  48 45 41 44 20 2f 20 48    54 54 50 2f 31 2e 30 0d    HEAD / HTTP/1.0.
  0a 48 6f 73 74 3a 20 31    32 2e 38 32 2e 31 34 31    .Host: 12.82.141
  2e 32 36 0d 0a 0d 0a                                  .26....         
#
T 2003/01/16 19:34:41.448276 80.128.89.252:2761 -> 12.82.141.26:80 [A]
#
T 2003/01/16 19:34:43.598538 80.128.89.252:2761 -> 12.82.141.26:80 [A]
#
T 2003/01/16 19:34:43.608524 80.128.89.252:2761 -> 12.82.141.26:80 [AF]
#
T 2003/01/16 19:34:43.618546 80.128.89.252:2821 -> 12.82.141.26:57 [S]
#
T 2003/01/16 19:34:50.989251 80.128.89.252:2821 -> 12.82.141.26:57 [S]
#
T 2003/01/16 19:34:50.989289 80.128.89.252:2761 -> 12.82.141.26:80 [A]
#
T 2003/01/16 19:34:55.309589 80.128.89.252:2821 -> 12.82.141.26:57 [S]
#
T 2003/01/16 19:35:05.160679 80.128.89.252:2985 -> 12.82.141.26:21 [S]
#
T 2003/01/16 19:35:05.220707 80.128.89.252:2985 -> 12.82.141.26:21 [S]
#
T 2003/01/16 19:35:06.690733 80.128.89.252:2985 -> 12.82.141.26:21 [A]
#
T 2003/01/16 19:35:06.710791 80.128.89.252:2985 -> 12.82.141.26:21 [A]
#
T 2003/01/16 19:35:30.042987 80.128.89.252:2985 -> 12.82.141.26:21 [AF]
#
T 2003/01/16 19:35:31.293119 80.128.89.252:2985 -> 12.82.141.26:21 [A]
exit


- John
-- 
"You must define an operating system environment,
 or the configuration file build will puke."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705



More information about the list mailing list