SYN FIN Scan with src port == dst port

From: Nicolas Gregoire (nicolas.gregoireat_private)
Date: Tue Jun 19 2001 - 02:25:34 PDT

Next message: Tom Laermans: "RE: 2300 FTP accesses from Korea"

Previous message: Fernando Cardoso: "RE: ICMP Parameter Problem packets to random addresses"
Next in thread: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Reply: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

here some logs from probes done by compromised boxes.
The first one (hacked_1) is a default RedHat 6.2 and the second one
(hacked_2) is a default Cobalt 5.0
Admins have been notified.

Jun 17 21:23:22 my_box_1 snort[468]: SCAN-SYN FIN: hacked_1:511 ->
my_box_1:511 
Jun 17 21:23:22 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_1:511 ->
my_box_2:511 

Jun 18 20:52:42 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:21 ->
my_box_2:21 
Jun 18 20:52:42 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:21 ->
my_box_1:21 
Jun 18 20:52:52 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 ->
my_box_2:111 
Jun 18 20:52:52 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 ->
my_box_1:111 
Jun 18 20:53:01 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:511 ->
my_box_2:511 
Jun 18 20:53:01 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:511 ->
my_box_1:511 
Jun 18 20:53:15 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:54321 ->
my_box_2:54321 
Jun 18 20:53:15 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:54321 ->
my_box_1:54321 
Jun 18 20:53:24 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:79 ->
my_box_2:79 
Jun 18 20:53:24 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:79 ->
my_box_1:79 
Jun 18 20:54:48 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:53 ->
my_box_2:53 
Jun 18 20:54:48 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:53 ->
my_box_1:53 
Jun 18 20:54:48 my_box_2 snort[5207]: IDS277 - NAMED Iquery Probe:
hacked_2:2232 -> my_box_2:53 
Jun 18 20:54:48 my_box_2 named[844]: denied query from [hacked_2].2232
for "version.bind" 
Jun 18 20:54:48 my_box_2 snort[5207]: MISC-DNS-version-query:
hacked_2:2232 -> my_box_2:53 
Jun 18 20:55:21 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:111 ->
my_box_2:111 
Jun 18 20:55:21 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:111 ->
my_box_1:111 
Jun 18 20:56:00 my_box_2 snort[5207]: SCAN-SYN FIN: hacked_2:1080 ->
my_box_2:1080 
Jun 18 20:56:00 my_box_1 snort[468]: SCAN-SYN FIN: hacked_2:1080 ->
my_box_1:1080 

The first one has a root shell binded to port 511, not the second one.
The strange thing is that these 2 boxes are located in France, like me,
and have the same patterns.
Every packet have the same values for a few fields :
TOS:0x0 ID:39426 IpLen:20 DgmLen:40 Win: 0x404  TcpLen: 20

Have you ever seen that ?

Nicob
(please excuse my english)

Next message: Tom Laermans: "RE: 2300 FTP accesses from Korea"
Previous message: Fernando Cardoso: "RE: ICMP Parameter Problem packets to random addresses"
Next in thread: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Reply: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:20:30 PDT