This is the DDOS xploit...Check out the Broadcast. Trying to get you to repond to all to effectivly bring the network down. Cool packet capture. I can use it for an investgation I have open right now as an example. Cheers!! ERic -----Original Message----- From: Crist Clark [mailto:crist.clarkat_private] Sent: Thursday, April 19, 2001 5:21 PM To: INCIDENTSat_private Subject: Re: More weird scans Russell Fulton wrote: > > here is another weired scan... > > 18 Apr 01 13:12:21 tcp 255.255.255.255.31337 -> 130.216.210.99.515 S_ > 18 Apr 01 13:32:33 tcp 255.255.255.255.31337 -> 130.216.88.79.515 S_ > 18 Apr 01 14:23:39 tcp 255.255.255.255.31337 -> 130.216.80.141.515 S_ > 18 Apr 01 14:32:16 tcp 255.255.255.255.31337 -> 130.216.165.120.515 S_ > 18 Apr 01 15:06:51 tcp 255.255.255.255.31337 -> 130.216.229.183.515 S_ > 18 Apr 01 17:22:10 tcp 255.255.255.255.31337 -> 130.216.124.106.515 S_ > 18 Apr 01 17:42:23 tcp 255.255.255.255.31337 -> 130.216.202.2.515 S_ > 18 Apr 01 17:55:36 tcp 255.255.255.255.31337 -> 130.216.115.63.515 S_ > 18 Apr 01 18:58:22 tcp 255.255.255.255.31337 -> 130.216.73.134.515 S_ > 18 Apr 01 19:12:33 tcp 255.255.255.255.31337 -> 130.216.35.204.515 S_ > 18 Apr 01 20:56:08 tcp 255.255.255.255.31337 -> 130.216.57.184.515 S_ > 18 Apr 01 22:56:20 tcp 255.255.255.255.31337 -> 130.216.75.120.515 S_ > 18 Apr 01 23:06:08 tcp 255.255.255.255.31337 -> 130.216.150.227.515 S_ I have noted the same thing, Apr16: 15:21:57.791300 255.255.255.255.31337 > AAA.BBB.CC4.72.515: S [tcp sum ok] 100:100(0) win 512 (ttl 232, id 62128) 0000: 4500 0028 f2b0 0000 e806 767e ffff ffff E..(......v~.... 0010: AABB CC48 7a69 0203 0000 0064 0000 0000 ....zi.....d.... 0020: 5002 0200 c771 0000 fb8d 697b f514 P....q....i{.. 22:58:37.451884 255.255.255.255.31337 > AAA.BBB.CC3.63.515: S [tcp sum ok] 100:100(0) win 512 (ttl 232, id 62128) 0000: 4500 0028 f2b0 0000 e806 7787 ffff ffff E..(......w..... 0010: AABB CC3f 7a69 0203 0000 0064 0000 0000 ...?zi.....d.... 0020: 5002 0200 c87a 0000 3565 3565 4167 P....z..5e5eAg Apr17: 05:15:58.706757 255.255.255.255.31337 > AAA.BBB.CC4.102.515: S [tcp sum ok] 100:100(0) win 512 (ttl 242, id 62128) 0000: 4500 0028 f2b0 0000 f206 6c60 ffff ffff E..(......l`.... 0010: AABB CC66 7a69 0203 0000 0064 0000 0000 ...fzi.....d.... 0020: 5002 0200 c753 0000 a7a0 7fce 4efe P....S......N. 22:37:58.759311 255.255.255.255.31337 > AAA.BBB.CC5.191.515: S [tcp sum ok] 100:100(0) win 512 (ttl 232, id 62128) 0000: 4500 0028 f2b0 0000 e806 7507 ffff ffff E..(......u..... 0010: AABB CCbf 7a69 0203 0000 0064 0000 0000 ....zi.....d.... 0020: 5002 0200 c5fa 0000 0204 05b4 0101 P............. Apr19: 00:37:53.292230 255.255.255.255.31337 > AAA.BBB.CC4.11.515: S [tcp sum ok] 100:100(0) win 512 (ttl 232, id 62128) 0000: 4500 0028 f2b0 0000 e806 76bb ffff ffff E..(......v..... 0010: AABB CC0b 7a69 0203 0000 0064 0000 0000 ....zi.....d.... 0020: 5002 0200 c7ae 0000 c76b 1399 8f9d P........k.... A few interesting things. First, not all of the destination hosts are reachable from the Internet implying these are aimed randomly. Second, the packet crafting is just too obvious, same sequence number (100), same IP ID (62128), same source port (31337 *eye roll*). Third, three have the same TTL and are likely from the same source and one is different. Fourth, what are those six extra bytes of TCP data hanging off of each one? If we note the datagram length, they are part of the packet. The only thing that could have been done to make this more obvious is make it a SYN-FIN. I also have a bunch of these exact same packets coming from "real" IP addresses. My best guess is that a worm or kit is not binding itself properly to an interface and sending out these messed up 255.255.255.255 sourced probes. (A poorly written worm!? Say it ain't so!) -- Crist J. Clark Network Security Engineer crist.clarkat_private Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmasterat_private
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 08:38:11 PDT