Yeah, definitely a scan. Snort detects it as an NMAP XMAS scan, but in reality, it could be any packet crafting tool (nemisis, hping2 or nmap). Heres a sample packet that's hit my IDS with a SRC PORT of 5635: ----------------- #(1 - 8041) [2001-07-10 18:50:38] NMAP XMAS scan IPv4: 212.111.188.176 -> 194.130.109.65 hlen=5 TOS=0 dlen=106 ID=64773 flags=0 offset=0 TTL=111 chksum=19876 TCP: port=5635 -> dport: 0 flags=**U*P**F seq=1359020032 ack=1292042247 off=0 res=2 win=43093 urp=9716 chksum=7155 Payload: length = 66 000 : 40 CC C6 34 62 66 E0 DF FF 1D 86 BE 4E F6 BF 60 @..4bf......N..` 010 : 70 95 33 11 C9 1A 0F 20 AB 63 27 36 F1 C9 D4 D3 p.3.... .c'6.... 020 : B9 00 DC 4F 44 E1 83 25 AB 47 7D 20 CB DB EE BC ...OD..%.G} .... 030 : 42 9C 21 BE 5C 95 1B A2 00 06 00 03 00 08 00 06 B.!.\........... 040 : 01 00 .. ----------------- Rgds, Scott Curt Purdy wrote: > > IMO, this looks like an hping2 scan. See > http://project.honeynet.org/scans/arch/scan1.txt for a sample honeynet scan > that is just the opposite (dest 0 - src high port). But as they explain, > the default hping2 is actually (scr 0 - dest high port) as in your case. > > Curt Purdy > Information Systems Engineer > DP Solutions > > -----Original Message----- > From: rltat_private [mailto:rltat_private] > Sent: Tuesday, July 10, 2001 10:11 AM > To: incidentsat_private > Subject: TCP Src 5635: what is it? > > Just a little help needed here. I've been seeing a lot of traffic with > a source port of 5635 and a destination port of 0. Searching on google > yields no significant results. There were two forums that asked the > same question and haven't yet gotten an answer. I asked the posters for > more information and if there problems had been resolved but I haven't > gotten a response yet. So, any help and or insight would be much > appreciated. > > Here's an excerpt from my logs: > > Time,Source Addr,Source Port,Dest Addr,Dest Port,TCP/UDP,TCP Flags > ,,,,,, > 6/28/01 15:41,208.33.170.61 > (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP, > 6/28/01 15:41,208.33.170.61 > (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,fin rst psh > 6/28/01 16:55,63.254.34.74 (A010- > 0074.FRDK.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn psh > 6/28/01 17:50,208.33.170.154 > (cvxp154.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,rst > 6/29/01 0:04,63.252.82.9 (A010- > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst psh ack > urg > 6/29/01 0:04,63.252.82.9 (A010- > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst > 6/29/01 0:04,63.252.82.9 (A010- > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,rst urg > 6/29/01 7:26,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:26,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:26,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:26,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:26,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:27,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:28,63.255.89.15 (A010- > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,psh urg > 6/29/01 7:34,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:34,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:34,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:34,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > 6/29/01 7:35,209.156.206.217 (A020- > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg > > The TCP flags are varied. I know it's not indicated here but I didn't > want to send the entire list of attempts. > > There server that these IP's are destined for happens to be a HTTPS > server. And these IP's have also established full connections with the > server. So I'm not sure if this is an attack or some wacky software mis- > configuration. > > Again, any help and or insight would be appreciated. > > Thanks in advance. > > -Rick > > -------------------------------------- > FREE ANONYMOUS EMAIL! Sign up now. > http://www.subdimension.com/freemail > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com -- Scott Nursten - Systems Administrator Streets Online Ltd. Direct: +44 (0) 1293 744 122 Business: +44 (0) 1293 402 040 Fax: +44 (0) 1293 402 050 Email: scottnat_private ----------------------------------------------------------------------- "Unix is user friendly. It's just selective when choosing friends." ----------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:29:14 PDT