Unusual TCP port 53 scan

From: Keith Owens (kaosat_private)
Date: Mon Jun 04 2001 - 05:46:12 PDT

  • Next message: Michal Zalewski: "Re: another rootkit - one more file (fwd)"

    Just got hit by a scan for TCP port 53.  It is unusual in that each SYN
    packet has an associated RST packet with almost identical timestamp.
    Any idea which vulnerability they are trying to use?  It smells like an
    attack on some NAT box.  Logs are GMT.
    
    2001/06/04-12:03:42.677548 216.207.243.167.2417 > 203.34.97.5.53: S 737509983:737509983(0) win 32120 <mss 1460,sackOK,timestamp 67939961 0,nop,wscale 0> (DF)
    2001/06/04-12:03:42.687548 216.207.243.167.2417 > 203.34.97.5.53: R 0:0(0) win 0
    2001/06/04-12:03:43.527483 216.207.243.167.2420 > 203.34.97.8.53: S 734717774:734717774(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
    2001/06/04-12:03:43.537478 216.207.243.167.2420 > 203.34.97.8.53: R 0:0(0) win 0
    2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: S 736268655:736268655(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
    2001/06/04-12:03:43.547473 216.207.243.167.2421 > 203.34.97.9.53: R 0:0(0) win 0
    2001/06/04-12:03:43.557468 216.207.243.167.2422 > 203.34.97.10.53: S 737261904:737261904(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
    2001/06/04-12:03:43.567463 216.207.243.167.2422 > 203.34.97.10.53: R 0:0(0) win 0
    2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: S 739120319:739120319(0) win 32120 <mss 1460,sackOK,timestamp 67940061 0,nop,wscale 0> (DF)
    2001/06/04-12:03:43.577458 216.207.243.167.2423 > 203.34.97.11.53: R 0:0(0) win 0
    
    etc.
    



    This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 07:16:21 PDT