Re: Strange broadcasts to printer port

From: Crist Clark (crist.clarkat_private)
Date: Fri Jun 29 2001 - 10:21:59 PDT

Next message: Ivy Lane: "RE: solaris hack info required"

Previous message: Devdas Bhagat: "Re: solaris hack info required"
In reply to: Mike Patchen: "Re: Strange broadcasts to printer port"
Next in thread: Dan Riley: "Re: Strange broadcasts to printer port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Patchen wrote:
> 
> I have been seeing a lot of these too (5-7 per day).  Snort identifies them as "BACKDOOR Q access".  The only difference that I see is that the TOS is 0x00 in my logs.  I usually see these as a scan across my IP range, instead of being targeted at a certain machine.

I've seen 182 of these. The first one came in on April 16th of this year.
They have hit 164 different hosts, no host has been hit more than twice, 
which is reasonable for totally random scans.

> >>> Patrick Oonk <patrickat_private> 06/28/01 09:27AM >>>
> Hi,
> 
> I have been seeing syn packets from src 255.255.255.255:31337 to random
> ip-numbers port 515 in our nets for months.  Does anyone kow what could cause this?

I don't know, but I find these things humorous more than anything
else. I mean, could it be _any_ more obvious these are crafted packets?
We have the 'leet source port. We have a sequence numebr of 100 everytime.
We have the same IP ID everytime, 62128. And then of course, the source
address is The Broadcast Address. So, not only are they blatently obvious
and should set off every NIDS ever made, but they are harmless. There
is no way the recipient could ever find the sender (even if it wanted to
reply to a SYN from 255.255.255.255) if it's not local.

My _guess_ has always been that these are the result of some broken
worm or other tool. However, I do not see how such a worm could ever
propigate. I never see attacks with this signature except including
a valid source address.
-- 
Crist J. Clark                                Network Security Engineer
crist.clarkat_private                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmasterat_private

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Ivy Lane: "RE: solaris hack info required"
Previous message: Devdas Bhagat: "Re: solaris hack info required"
In reply to: Mike Patchen: "Re: Strange broadcasts to printer port"
Next in thread: Dan Riley: "Re: Strange broadcasts to printer port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 09:24:04 PDT