Coordinated HTTP scan (NOT CodeRed or Nimda)?
Glenn Forbes Fleming Larratt
glratt at io.com
Wed Mar 6 01:26:12 GMT 2002
On Tue, 5 Mar 2002, Kinsey, Robert wrote:
> Glen, What does the scan look like (if you've reconstructed anything).
> These are all just single packet SYN with small byte length?
The only anomaly over and above that is as follows:
220.127.116.11.1419 > 18.104.22.168.80: S [tcp sum ok] 26962586:26962586(0) win 2144 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id 7512, len 48)
It's my impression off the cuff that TCP options on the SYN are
somewhat premature, and thus unusual. No payload on the SYN in
any case; in all cases the TCP option order was mss, nop, nop,
sackOK, although the mss value was different (values observed
were 536 and 1460). TCP window size was similarly variable, and
IP ID values were all over the place; my interim conclusion is
coordinated scanning, and not spoofing.
> All, I have not found anything out regarding my friend's comments about
> something called "bang.c" as a tool or anything else for that matter. That
> was probably a red herring.
Possibly. I have had reports that nmap could do the same thing.
> Has anyone else heard of a scan looking for a TCP SYN ACK response using a
> single SYN on port 80 as a way to validate an IP:port as listening?
Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-)
glratt at io.com http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.
More information about the unisog