[Dshield] Unusual UDP port scans -- forged (?) source IP 61.220.98.98 port 56933

Jon R. Kibler Jon.Kibler at aset.com
Fri Feb 13 23:11:36 GMT 2004


"Jon R. Kibler" wrote:

Hate to reply to my own posting, but I changed our firewall rules and captured a few packets. They are identical. Here is a sample. Also, the packets appear to be arriving about 17 seconds apart.

Anyone recognize anything here?

> 
>   1 17:44:4.96215 61.220.98.98 -> trustem01.trustem.net ETHER Type=0800 (IP), size = 133 bytes
>   1 17:44:4.96215 61.220.98.98 -> trustem01.trustem.net IP  D=63.113.59.66 S=61.220.98.98 LEN=119, ID=28193, TOS=0x0, TTL=110
>   1 17:44:4.96215 61.220.98.98 -> trustem01.trustem.net UDP D=32781 S=56933 LEN=99
> ________________________________
> 
> ETHER:  ----- Ether Header -----
> ETHER:  
> ETHER:  Packet 1 arrived at 17:44:4.96
> ETHER:  Packet size = 133 bytes
> ETHER:  Destination = 0:3:ba:2b:78:3b, 
> ETHER:  Source      = 0:3:6b:db:ea:16, 
> ETHER:  Ethertype = 0800 (IP)
> ETHER:  
> IP:   ----- IP Header -----
> IP:   
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:         .... ..0. = not ECN capable transport
> IP:         .... ...0 = no ECN congestion experienced
> IP:   Total length = 119 bytes
> IP:   Identification = 28193
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 110 seconds/hops
> IP:   Protocol = 17 (UDP)
> IP:   Header checksum = c363
> IP:   Source address = 61.220.98.98, 61.220.98.98
> IP:   Destination address = 63.113.59.66, trustem01.trustem.net
> IP:   No options
> IP:   
> UDP:  ----- UDP Header -----
> UDP:  
> UDP:  Source port = 56933
> UDP:  Destination port = 32781 
> UDP:  Length = 99 
> UDP:  Checksum = 2A9E 
> UDP:  
> 
> 	   0: 0003 ba2b 783b 0003 6bdb ea16 0800 4500    ...+x;..k.....E.
> 	  16: 0077 6e21 0000 6e11 c363 3ddc 6262 3f71    .wn!..n..c=.bb?q
> 	  32: 3b42 de65 800d 0063 2a9e 4e6e 8480 0001    ;B.e...c*.Nn....
> 	  48: 0000 0001 0000 0b61 7369 7274 6578 7469    .......asirtexti
> 	  64: 6c65 0363 6f6d 0274 7700 001c 0001 c00c    le.com.tw.......
> 	  80: 0006 0001 0000 0e10 002b 0861 7369 726d    .........+.asirm
> 	  96: 6169 6cc0 0c0a 686f 7374 6d61 7374 6572    ail...hostmaster
> 	 112: 0000 0000 3e00 0003 8400 0002 5800 0151    ....>.......X..Q
> 	 128: 8000 000e 10                               .....
> 

Thanks!

Jon

-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list