Re: More weird scans

From: Curley Mr Eric P (CurleyEPat_private)
Date: Mon Apr 23 2001 - 06:50:47 PDT

  • Next message: antoine Bour: "Re: shell.exe"

    This is the DDOS xploit...Check out the Broadcast.  Trying to get you to
    repond to all to effectivly bring the network down.  Cool packet capture.  I
    can use it for an investgation I have open right now as an example.
    Cheers!!
    
    ERic
    
    -----Original Message-----
    From: Crist Clark [mailto:crist.clarkat_private]
    Sent: Thursday, April 19, 2001 5:21 PM
    To: INCIDENTSat_private
    Subject: Re: More weird scans
    
    
    Russell Fulton wrote:
    >
    > here is another weired scan...
    >
    > 18 Apr 01 13:12:21    tcp 255.255.255.255.31337  ->    130.216.210.99.515
    S_
    > 18 Apr 01 13:32:33    tcp 255.255.255.255.31337  ->     130.216.88.79.515
    S_
    > 18 Apr 01 14:23:39    tcp 255.255.255.255.31337  ->    130.216.80.141.515
    S_
    > 18 Apr 01 14:32:16    tcp 255.255.255.255.31337  ->   130.216.165.120.515
    S_
    > 18 Apr 01 15:06:51    tcp 255.255.255.255.31337  ->   130.216.229.183.515
    S_
    > 18 Apr 01 17:22:10    tcp 255.255.255.255.31337  ->   130.216.124.106.515
    S_
    > 18 Apr 01 17:42:23    tcp 255.255.255.255.31337  ->     130.216.202.2.515
    S_
    > 18 Apr 01 17:55:36    tcp 255.255.255.255.31337  ->    130.216.115.63.515
    S_
    > 18 Apr 01 18:58:22    tcp 255.255.255.255.31337  ->    130.216.73.134.515
    S_
    > 18 Apr 01 19:12:33    tcp 255.255.255.255.31337  ->    130.216.35.204.515
    S_
    > 18 Apr 01 20:56:08    tcp 255.255.255.255.31337  ->    130.216.57.184.515
    S_
    > 18 Apr 01 22:56:20    tcp 255.255.255.255.31337  ->    130.216.75.120.515
    S_
    > 18 Apr 01 23:06:08    tcp 255.255.255.255.31337  ->   130.216.150.227.515
    S_
    
    I have noted the same thing,
    
    Apr16:
      15:21:57.791300 255.255.255.255.31337 > AAA.BBB.CC4.72.515: S [tcp sum ok]
    100:100(0) win 512 (ttl 232, id 62128)
        0000: 4500 0028 f2b0 0000 e806 767e ffff ffff  E..(......v~....
        0010: AABB CC48 7a69 0203 0000 0064 0000 0000  ....zi.....d....
        0020: 5002 0200 c771 0000 fb8d 697b f514       P....q....i{..
    
      22:58:37.451884 255.255.255.255.31337 > AAA.BBB.CC3.63.515: S [tcp sum ok]
    100:100(0) win 512 (ttl 232, id 62128)
        0000: 4500 0028 f2b0 0000 e806 7787 ffff ffff  E..(......w.....
        0010: AABB CC3f 7a69 0203 0000 0064 0000 0000  ...?zi.....d....
        0020: 5002 0200 c87a 0000 3565 3565 4167       P....z..5e5eAg
    
    Apr17:
      05:15:58.706757 255.255.255.255.31337 > AAA.BBB.CC4.102.515: S [tcp sum
    ok] 100:100(0) win 512 (ttl 242, id 62128)
        0000: 4500 0028 f2b0 0000 f206 6c60 ffff ffff  E..(......l`....
        0010: AABB CC66 7a69 0203 0000 0064 0000 0000  ...fzi.....d....
        0020: 5002 0200 c753 0000 a7a0 7fce 4efe       P....S......N.
    
      22:37:58.759311 255.255.255.255.31337 > AAA.BBB.CC5.191.515: S [tcp sum
    ok] 100:100(0) win 512 (ttl 232, id 62128)
        0000: 4500 0028 f2b0 0000 e806 7507 ffff ffff  E..(......u.....
        0010: AABB CCbf 7a69 0203 0000 0064 0000 0000  ....zi.....d....
        0020: 5002 0200 c5fa 0000 0204 05b4 0101       P.............
    
    Apr19:
      00:37:53.292230 255.255.255.255.31337 > AAA.BBB.CC4.11.515: S [tcp sum ok]
    100:100(0) win 512 (ttl 232, id 62128)
        0000: 4500 0028 f2b0 0000 e806 76bb ffff ffff  E..(......v.....
        0010: AABB CC0b 7a69 0203 0000 0064 0000 0000  ....zi.....d....
        0020: 5002 0200 c7ae 0000 c76b 1399 8f9d       P........k....
    
    A few interesting things. First, not all of the destination hosts are
    reachable
    from the Internet implying these are aimed randomly. Second, the packet
    crafting
    is just too obvious, same sequence number (100), same IP ID (62128), same
    source
    port (31337 *eye roll*). Third, three have the same TTL and are likely from
    the
    same source and one is different. Fourth, what are those six extra bytes of
    TCP
    data hanging off of each one? If we note the datagram length, they are part
    of
    the packet. The only thing that could have been done to make this more
    obvious
    is make it a SYN-FIN.
    
    I also have a bunch of these exact same packets coming from "real" IP
    addresses. My best guess is that a worm or kit is not binding itself
    properly to an interface and sending out these messed up 255.255.255.255
    sourced probes. (A poorly written worm!? Say it ain't so!)
    --
    Crist J. Clark                                Network Security Engineer
    crist.clarkat_private                    Globalstar, L.P.
    (408) 933-4387                                FAX: (408) 933-4926
    
    The information contained in this e-mail message is confidential,
    intended only for the use of the individual or entity named above.  If
    the reader of this e-mail is not the intended recipient, or the employee
    or agent responsible to deliver it to the intended recipient, you are
    hereby notified that any review, dissemination, distribution or copying
    of this communication is strictly prohibited.  If you have received this
    e-mail in error, please contact postmasterat_private
    



    This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 08:38:11 PDT