Re: scan for 109, new worm-variant or simple scan?

From: Jon O. (jonoat_private)
Date: Wed Apr 25 2001 - 13:22:48 PDT

  • Next message: Jeff Nieusma: "Re: scan for 109, new worm-variant or simple scan?"

    I actually have some experience with this host. It was scanning some
    networks and so I decided to take a look. 
    
    This machine appears to scan any machine that connects to it. Send a
    single SYN packet at this machine and it will scan you in return. I
    thought this was pretty interesting and started doing some more research
    into the purpose of this as it may be some new kind of tool we have not
    seen.
    
    
    1. Sending a SYN packet to the machine on port 109 results in 10+ SYN
    packets coming back to the sending maichne on port 109.
    
    2. Sending a SYN packet to the machine on port 53 results in 5+ SYN
    packets coming back to the sending machine on port 109, 53. This would
    imply a sort of memory. The host knew I had sent a packet to 109 and 53 so
    repsonded with SYN packets to 109 and 53. I'm not sure when this history
    expires, but so far it has remembered for 12 minutes since the first
    packet to 109.
    
    3. Sending a SYN packet to one of the 'reflected ports' results in two
    more SYN packets coming inbound to the sending machine on ports 109 and
    53. These SYN packets continue in sets of 2 (two to 109, two to 53) for 14
    mintues in *exactly* two minute intervals.
    
    4. The host will only respond with SYN packets on the port it received
    one. So, if you send a SYN to 111, 109 and 53 it will send SYNs back on
    the same ports. 
    
    5. The host seems to respond (send a SYN back) if you connect to it on:
    	21, 111, 109, 515, 53
    Other ports are ignored and no port is listening (Never got an ACK, RST). 
    
    I setup a listening TCP socket on port 109 of a local machine and sent
    203.232.4.4 a SYN on port 109 to get a return connection. The machine
    indeed sent a SYN back to local:109 and the local machine ACKed it.
    However, 203.232.4.4 never ACKed back so it never fully connected.
                        
    Theories on the purpose of this? Distributed port scanner looking for
    specific ports? Misconfigured firewall? 
    
    If you search for 203.232.4.4 with google, you will find logs of other
    people seeing this host scan them.   
    
    I'll keep looking into this and post any new findings here:
    http://www.securityreports.com/mirror.txt 
    
    
    Thanks,
    Jon
    
    
    
    
    On Wed, 25 Apr 2001 buschermannat_private wrote:
    
    > Hi all,
    > yesterday we received a scan for ports 53, 109 and 111 with the synscantool
    > from one ip for about one minute.
    > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and
    > rpc.statd but what is 109 for?
    > I know itīs pop2 but i canīt remember any exploits lately besides
    > 
    > http://www.securityfocus.com/vdb/?id=283
    > 
    > and this is old news.
    > 
    > Has anyone received similar scans in the last time?
    > Could this be a new variant of any of the latest worms?
    > Could this be a simple synscan-scan where old and newer vulnerabilities
    > have been mixed?
    > 
    > regards
    > axel
    > 
    > Times are MEST
    > --snip--
    > 
    > [**] spp_portscan: PORTSCAN DETECTED from 203.232.4.4 (STEALTH) [**]
    > 04/24-17:21:10.724734
    > [**] IDS441 - SCAN - Synscan Portscan [**]
    > 04/24-17:21:10.724083 203.232.4.4:109 -> x.x.x.68:109
    > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
    > ******SF Seq: 0x6D4C2D68  Ack: 0x50D8DCC2  Win: 0x404  TcpLen: 20
    > 
    > [**] spp_portscan: portscan status from 203.232.4.4: 2 connections across 1
    > hosts: TCP(2), UDP(0) STEALTH [**]
    > 04/24-17:21:25.979399
    > [**] IDS441 - SCAN - Synscan Portscan [**]
    > 04/24-17:21:25.962330 203.232.4.4:111 -> x.x.x.68:111
    > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
    > ******SF Seq: 0x5D276564  Ack: 0x29976377  Win: 0x404  TcpLen: 20
    > 
    > [**] spp_portscan: portscan status from 203.232.4.4: 1 connections across 1
    > hosts: TCP(1), UDP(0) STEALTH [**]
    > 04/24-17:22:08.367210
    > [**] IDS441 - SCAN - Synscan Portscan [**]
    > 04/24-17:22:08.366514 203.232.4.4:53 -> x.x.x.68:53
    > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
    > ******SF Seq: 0x23DC50AF  Ack: 0x167205BA  Win: 0x404  TcpLen: 20
    > 
    > [**] spp_portscan: End of portscan from 203.232.4.4: TOTAL time(58s)
    > hosts(1) TCP(3) UDP(0) STEALTH [**]
    > 04/24-17:25:20.680558
    > 
    > ---snip---
    > 
    > --
    > GMX - Die Kommunikationsplattform im Internet.
    > http://www.gmx.net
    > 
    



    This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:14:53 PDT