I actually have some experience with this host. It was scanning some networks and so I decided to take a look. This machine appears to scan any machine that connects to it. Send a single SYN packet at this machine and it will scan you in return. I thought this was pretty interesting and started doing some more research into the purpose of this as it may be some new kind of tool we have not seen. 1. Sending a SYN packet to the machine on port 109 results in 10+ SYN packets coming back to the sending maichne on port 109. 2. Sending a SYN packet to the machine on port 53 results in 5+ SYN packets coming back to the sending machine on port 109, 53. This would imply a sort of memory. The host knew I had sent a packet to 109 and 53 so repsonded with SYN packets to 109 and 53. I'm not sure when this history expires, but so far it has remembered for 12 minutes since the first packet to 109. 3. Sending a SYN packet to one of the 'reflected ports' results in two more SYN packets coming inbound to the sending machine on ports 109 and 53. These SYN packets continue in sets of 2 (two to 109, two to 53) for 14 mintues in *exactly* two minute intervals. 4. The host will only respond with SYN packets on the port it received one. So, if you send a SYN to 111, 109 and 53 it will send SYNs back on the same ports. 5. The host seems to respond (send a SYN back) if you connect to it on: 21, 111, 109, 515, 53 Other ports are ignored and no port is listening (Never got an ACK, RST). I setup a listening TCP socket on port 109 of a local machine and sent 203.232.4.4 a SYN on port 109 to get a return connection. The machine indeed sent a SYN back to local:109 and the local machine ACKed it. However, 203.232.4.4 never ACKed back so it never fully connected. Theories on the purpose of this? Distributed port scanner looking for specific ports? Misconfigured firewall? If you search for 203.232.4.4 with google, you will find logs of other people seeing this host scan them. I'll keep looking into this and post any new findings here: http://www.securityreports.com/mirror.txt Thanks, Jon On Wed, 25 Apr 2001 buschermannat_private wrote: > Hi all, > yesterday we received a scan for ports 53, 109 and 111 with the synscantool > from one ip for about one minute. > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and > rpc.statd but what is 109 for? > I know itīs pop2 but i canīt remember any exploits lately besides > > http://www.securityfocus.com/vdb/?id=283 > > and this is old news. > > Has anyone received similar scans in the last time? > Could this be a new variant of any of the latest worms? > Could this be a simple synscan-scan where old and newer vulnerabilities > have been mixed? > > regards > axel > > Times are MEST > --snip-- > > [**] spp_portscan: PORTSCAN DETECTED from 203.232.4.4 (STEALTH) [**] > 04/24-17:21:10.724734 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:21:10.724083 203.232.4.4:109 -> x.x.x.68:109 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x6D4C2D68 Ack: 0x50D8DCC2 Win: 0x404 TcpLen: 20 > > [**] spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 > hosts: TCP(2), UDP(0) STEALTH [**] > 04/24-17:21:25.979399 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:21:25.962330 203.232.4.4:111 -> x.x.x.68:111 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x5D276564 Ack: 0x29976377 Win: 0x404 TcpLen: 20 > > [**] spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 > hosts: TCP(1), UDP(0) STEALTH [**] > 04/24-17:22:08.367210 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:22:08.366514 203.232.4.4:53 -> x.x.x.68:53 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x23DC50AF Ack: 0x167205BA Win: 0x404 TcpLen: 20 > > [**] spp_portscan: End of portscan from 203.232.4.4: TOTAL time(58s) > hosts(1) TCP(3) UDP(0) STEALTH [**] > 04/24-17:25:20.680558 > > ---snip--- > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net >
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:14:53 PDT