Coordinated HTTP scan (NOT CodeRed or Nimda)?

Glenn Forbes Fleming Larratt glratt at io.com
Wed Mar 6 01:26:12 GMT 2002


On Tue, 5 Mar 2002, Kinsey, Robert wrote:

> Glen, What does the scan look like (if you've reconstructed anything).
> These are all just single packet SYN with small byte length?

	The only anomaly over and above that is as follows:

24.82.220.202.1419 > 128.42.9.7.80: S [tcp sum ok] 26962586:26962586(0) win 2144 <mss 1460,nop,nop,sackOK> (DF) (ttl 115, id 7512, len 48)

	It's my impression off the cuff that TCP options on the SYN are 
	somewhat premature, and thus unusual. No payload on the SYN in 
	any case; in all cases the TCP option order was mss, nop, nop, 
	sackOK, although the mss value was different (values observed
	were 536 and 1460). TCP window size was similarly variable, and
	IP ID values were all over the place; my interim conclusion is
	coordinated scanning, and not spoofing.

> All, I have not found anything out regarding my friend's comments about
> something called "bang.c" as a tool or anything else for that matter.  That
> was probably a red herring.

	Possibly. I have had reports that nmap could do the same thing.

> Has anyone else heard of a scan looking for a TCP SYN ACK response using a
> single SYN on port 80 as a way to validate an IP:port as listening?
> 
> Thanks,
> 
> Robert
> 

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.



More information about the unisog mailing list