Syn Probe on Port 25

Lois Lehman LOIS.LEHMAN at asu.edu
Thu Apr 17 16:52:33 GMT 2003


We have seen syn probes targeted directed at port 25 on specific IP
addresses lately.  Does anyone know  what this would indicate?  In other
words, is it part of a known malicious code and/or what we should look for
on the targeted computers?
 
Here is a sample from the SNORT logs from yesterday targeting one linux box
in our building:
 
9:48 AM 4/17/2003[**] Snort Alert! [**]
04/16-17:28:59.937965 216.15.189.34:2217 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:48605 IpLen:20 DgmLen:60 DF
******S* Seq: 0x96B2FD9  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2136290273 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-17:29:02.937965 216.15.189.34:2217 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:48861 IpLen:20 DgmLen:60 DF
******S* Seq: 0x96B2FD9  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2136290573 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-17:29:08.937965 216.15.189.34:2217 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:49517 IpLen:20 DgmLen:60 DF
******S* Seq: 0x96B2FD9  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2136291173 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-17:29:20.937965 216.15.189.34:2217 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:50532 IpLen:20 DgmLen:60 DF
******S* Seq: 0x96B2FD9  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2136292373 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-17:29:44.937965 216.15.189.34:2217 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:52790 IpLen:20 DgmLen:60 DF
******S* Seq: 0x96B2FD9  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2136294773 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-19:36:16.357965 216.15.189.34:1192 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:63879 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEB1A2869  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2137053808 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-19:36:19.357965 216.15.189.34:1192 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:64155 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEB1A2869  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2137054108 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-19:36:25.357965 216.15.189.34:1192 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:64632 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEB1A2869  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2137054708 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-19:36:37.357965 216.15.189.34:1192 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:305 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEB1A2869  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2137055908 0 NOP WS: 0 
 
[**] Snort Alert! [**]
04/16-19:37:01.357965 216.15.189.34:1192 -> xxx.xxx.145.205:25
TCP TTL:50 TOS:0x0 ID:1809 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEB1A2869  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2137058308 0 NOP WS: 0
 
Since this same box has been involved in some suspicious activity, we are
watching it closely.  It would be most helpful to understand this current
activity, if possible. So, any incites into this would be greatly
appreciated.
 
Regards,
Lois
 
Lois Lehman, GSEC, MBA
Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139
 


More information about the unisog mailing list