I actually have some experience with this host. It was scanning some
networks and so I decided to take a look.
This machine appears to scan any machine that connects to it. Send a
single SYN packet at this machine and it will scan you in return. I
thought this was pretty interesting and started doing some more research
into the purpose of this as it may be some new kind of tool we have not
seen.
1. Sending a SYN packet to the machine on port 109 results in 10+ SYN
packets coming back to the sending maichne on port 109.
2. Sending a SYN packet to the machine on port 53 results in 5+ SYN
packets coming back to the sending machine on port 109, 53. This would
imply a sort of memory. The host knew I had sent a packet to 109 and 53 so
repsonded with SYN packets to 109 and 53. I'm not sure when this history
expires, but so far it has remembered for 12 minutes since the first
packet to 109.
3. Sending a SYN packet to one of the 'reflected ports' results in two
more SYN packets coming inbound to the sending machine on ports 109 and
53. These SYN packets continue in sets of 2 (two to 109, two to 53) for 14
mintues in *exactly* two minute intervals.
4. The host will only respond with SYN packets on the port it received
one. So, if you send a SYN to 111, 109 and 53 it will send SYNs back on
the same ports.
5. The host seems to respond (send a SYN back) if you connect to it on:
21, 111, 109, 515, 53
Other ports are ignored and no port is listening (Never got an ACK, RST).
I setup a listening TCP socket on port 109 of a local machine and sent
203.232.4.4 a SYN on port 109 to get a return connection. The machine
indeed sent a SYN back to local:109 and the local machine ACKed it.
However, 203.232.4.4 never ACKed back so it never fully connected.
Theories on the purpose of this? Distributed port scanner looking for
specific ports? Misconfigured firewall?
If you search for 203.232.4.4 with google, you will find logs of other
people seeing this host scan them.
I'll keep looking into this and post any new findings here:
http://www.securityreports.com/mirror.txt
Thanks,
Jon
On Wed, 25 Apr 2001 buschermannat_private wrote:
> Hi all,
> yesterday we received a scan for ports 53, 109 and 111 with the synscantool
> from one ip for about one minute.
> Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and
> rpc.statd but what is 109 for?
> I know itīs pop2 but i canīt remember any exploits lately besides
>
> http://www.securityfocus.com/vdb/?id=283
>
> and this is old news.
>
> Has anyone received similar scans in the last time?
> Could this be a new variant of any of the latest worms?
> Could this be a simple synscan-scan where old and newer vulnerabilities
> have been mixed?
>
> regards
> axel
>
> Times are MEST
> --snip--
>
> [**] spp_portscan: PORTSCAN DETECTED from 203.232.4.4 (STEALTH) [**]
> 04/24-17:21:10.724734
> [**] IDS441 - SCAN - Synscan Portscan [**]
> 04/24-17:21:10.724083 203.232.4.4:109 -> x.x.x.68:109
> TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
> ******SF Seq: 0x6D4C2D68 Ack: 0x50D8DCC2 Win: 0x404 TcpLen: 20
>
> [**] spp_portscan: portscan status from 203.232.4.4: 2 connections across 1
> hosts: TCP(2), UDP(0) STEALTH [**]
> 04/24-17:21:25.979399
> [**] IDS441 - SCAN - Synscan Portscan [**]
> 04/24-17:21:25.962330 203.232.4.4:111 -> x.x.x.68:111
> TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
> ******SF Seq: 0x5D276564 Ack: 0x29976377 Win: 0x404 TcpLen: 20
>
> [**] spp_portscan: portscan status from 203.232.4.4: 1 connections across 1
> hosts: TCP(1), UDP(0) STEALTH [**]
> 04/24-17:22:08.367210
> [**] IDS441 - SCAN - Synscan Portscan [**]
> 04/24-17:22:08.366514 203.232.4.4:53 -> x.x.x.68:53
> TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
> ******SF Seq: 0x23DC50AF Ack: 0x167205BA Win: 0x404 TcpLen: 20
>
> [**] spp_portscan: End of portscan from 203.232.4.4: TOTAL time(58s)
> hosts(1) TCP(3) UDP(0) STEALTH [**]
> 04/24-17:25:20.680558
>
> ---snip---
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:14:53 PDT