Re: TCP Src 5635: what is it?

From: Scott Nursten (scott.nurstenat_private)
Date: Thu Jul 12 2001 - 01:58:30 PDT

  • Next message: vlimaat_private: "Denial of service attack on port 6667"

    Yeah, definitely a scan. Snort detects it as an NMAP XMAS scan, but in reality, it could be any packet crafting tool (nemisis, hping2 or nmap). 
    
    Heres a sample packet that's hit my IDS with a SRC PORT of 5635:
    
    -----------------
    #(1 - 8041) [2001-07-10 18:50:38] NMAP XMAS scan
    IPv4: 212.111.188.176 -> 194.130.109.65
          hlen=5 TOS=0 dlen=106 ID=64773 flags=0 offset=0 TTL=111 chksum=19876
    TCP:  port=5635 -> dport: 0  flags=**U*P**F seq=1359020032
          ack=1292042247 off=0 res=2 win=43093 urp=9716 chksum=7155
    Payload:  length = 66
    
    000 : 40 CC C6 34 62 66 E0 DF FF 1D 86 BE 4E F6 BF 60   @..4bf......N..`
    010 : 70 95 33 11 C9 1A 0F 20 AB 63 27 36 F1 C9 D4 D3   p.3.... .c'6....
    020 : B9 00 DC 4F 44 E1 83 25 AB 47 7D 20 CB DB EE BC   ...OD..%.G} ....
    030 : 42 9C 21 BE 5C 95 1B A2 00 06 00 03 00 08 00 06   B.!.\...........
    040 : 01 00                                             ..
    
    -----------------
    
    Rgds,
    
    Scott
    
    Curt Purdy wrote:
    > 
    > IMO, this looks like an hping2 scan.  See
    > http://project.honeynet.org/scans/arch/scan1.txt for a sample honeynet scan
    > that is just the opposite (dest 0 - src high port).  But as they explain,
    > the default hping2 is actually (scr 0 - dest high port) as in your case.
    > 
    > Curt Purdy
    > Information Systems Engineer
    > DP Solutions
    > 
    > -----Original Message-----
    > From: rltat_private [mailto:rltat_private]
    > Sent: Tuesday, July 10, 2001 10:11 AM
    > To: incidentsat_private
    > Subject: TCP Src 5635: what is it?
    > 
    > Just a little help needed here.  I've been seeing a lot of traffic with
    > a source port of 5635 and a destination port of 0.  Searching on google
    > yields no significant results.  There were two forums that asked the
    > same question and haven't yet gotten an answer.  I asked the posters for
    > more information and if there problems had been resolved but I haven't
    > gotten a response yet.  So, any help and or insight would be much
    > appreciated.
    > 
    > Here's an excerpt from my logs:
    > 
    > Time,Source Addr,Source Port,Dest Addr,Dest Port,TCP/UDP,TCP Flags
    > ,,,,,,
    > 6/28/01 15:41,208.33.170.61
    > (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,
    > 6/28/01 15:41,208.33.170.61
    > (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,fin rst psh
    > 6/28/01 16:55,63.254.34.74 (A010-
    > 0074.FRDK.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn psh
    > 6/28/01 17:50,208.33.170.154
    > (cvxp154.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,rst
    > 6/29/01 0:04,63.252.82.9 (A010-
    > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst psh ack
    > urg
    > 6/29/01 0:04,63.252.82.9 (A010-
    > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst
    > 6/29/01 0:04,63.252.82.9 (A010-
    > 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,rst urg
    > 6/29/01 7:26,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:26,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:26,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:26,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:26,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:27,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:28,63.255.89.15 (A010-
    > 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,psh urg
    > 6/29/01 7:34,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:34,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:34,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:34,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 6/29/01 7:35,209.156.206.217 (A020-
    > 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    > 
    > The TCP flags are varied.  I know it's not indicated here but I didn't
    > want to send the entire list of attempts.
    > 
    > There server that these IP's are destined for happens to be a HTTPS
    > server.  And these IP's have also established full connections with the
    > server.  So I'm not sure if this is an attack or some wacky software mis-
    > configuration.
    > 
    > Again, any help and or insight would be appreciated.
    > 
    > Thanks in advance.
    > 
    > -Rick
    > 
    > --------------------------------------
    > FREE ANONYMOUS EMAIL!  Sign up now.
    > http://www.subdimension.com/freemail
    > 
    > ----------------------------------------------------------------------------
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    > 
    > ----------------------------------------------------------------------------
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    
    -- 
    Scott Nursten - Systems Administrator
    Streets Online Ltd.
    
    Direct:		+44 (0) 1293 744 122
    Business:       +44 (0) 1293 402 040
    Fax:            +44 (0) 1293 402 050
    Email:          scottnat_private
    
          -----------------------------------------------------------------------
    	"Unix is user friendly. It's just selective when choosing friends."
          -----------------------------------------------------------------------
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:29:14 PDT