Since I went home yesterday we've had two wierd scans. They look wierd for two reasons. 1. We did not log all traffic from the causing system, just the origin snort ruleset and some custom ones. 2. In one case the ICMP Echo Replys comes after the scan has been initiated. Exerpts from logfiles: [2002-02-06 03:02:57] 62.54.132.238:4794 -> *.*.*.68:80 WEB-IIS cmd.exe access [2002-02-06 03:03:02] 62.54.132.238:4797 -> *.*.*.68:80 WEB-IIS cmd.exe access [2002-02-06 03:03:30] 62.54.132.238:4799 -> *.*.*.68:80 WEB-IIS cmd.exe access [2002-02-06 03:10:46] 62.54.132.238:4896 -> *.*.*.68:80 WEB-IIS cmd.exe access [2002-02-06 03:17:13] 62.54.132.238:4983 -> *.*.*.68:21 Generic FTP scan [2002-02-06 03:17:13] 62.54.132.238:4983 -> *.*.*.68:21 Generic FTP scan [2002-02-06 03:17:15] 62.54.132.238:4983 -> *.*.*.68:21 Generic FTP scan [2002-02-06 03:21:18] 62.54.132.238:1515 -> *.*.*.68:80 WEB-IIS cmd.exe access [2002-02-06 03:27:43] 62.54.132.238:1886 -> *.*.*.68:1080 SCAN Proxy attempt [2002-02-06 03:27:43] 62.54.132.238:1886 -> *.*.*.68:1080 SCAN Proxy attempt [2002-02-06 03:27:44] 62.54.132.238:1886 -> *.*.*.68:1080 SCAN Proxy attempt [2002-02-06 03:19:09] 62.54.132.238 -> *.*.*.68 ICMP superscan echo [2002-02-06 03:19:51] 62.54.132.238 -> *.*.*.73 ICMP superscan echo [2002-02-06 03:20:40] 62.54.132.238 -> *.*.*.7 ICMP superscan echo [2002-02-06 03:22:35] 62.54.132.238 -> *.*.*.68 ICMP superscan echo [2002-02-06 03:25:26] 62.54.132.238 -> *.*.*.68 ICMP superscan echo [2002-02-06 03:27:25] 62.54.132.238 -> *.*.*.68 ICMP superscan echo [2002-02-06 03:27:43] 62.54.132.238 -> *.*.*.68 ICMP superscan echo This fellow did some ordinary cmd.exe?/c+dir+c: attempts and then some scans for port 21 and 1080. And _after_ he had scanned the ports we can see some ICMP Echo Request with 8 bytes of data, all zeroes. I only know one tool for scanning that sends this kind of ICMP packets and that is SuperScan from Foundstone, and that one does it before the portscan. Obviously he must have scanned several other ports after the IMCP packets but none of the ports that are listed in my snort rules. [2002-02-05 17:47:57] 64.226.245.15:1438 -> *.*.*.73:80 WEB-IIS cmd.exe access [2002-02-05 17:48:00] 64.226.245.15:1472 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:48:00] 64.226.245.15:1474 -> *.*.*.76:80 WEB-IIS CodeRed v2 root.exe access [2002-02-05 17:48:00] 64.226.245.15:1479 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:48:00] 64.226.245.15:1484 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:48:01] 64.226.245.15:1487 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:48:01] 64.226.245.15:1494 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:48:01] 64.226.245.15:1496 -> *.*.*.76:80 WEB-IIS cmd.exe access [2002-02-05 17:46:00] 64.226.245.15 -> *.*.*.2 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:03] 64.226.245.15 -> *.*.*.3 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:06] 64.226.245.15 -> *.*.*.4 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:09] 64.226.245.15 -> *.*.*.5 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:12] 64.226.245.15 -> *.*.*.6 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:16] 64.226.245.15 -> *.*.*.7 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:18] 64.226.245.15 -> *.*.*.8 [arachNIDS/162] ICMP PING NMAP [2002-02-05 17:46:19] 64.226.245.15 -> *.*.*.9 [arachNIDS/162] ICMP PING NMAP Here we have another scan but at least the ICMP Echo Request are mixed with the other packets in the flow (not in this exerpt though). This one uses ICMP Echo Request with no data at all. My question: Is this some sort of knowned worm (have I been too long in my cave) or what? /Johan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 08:30:09 PST