Re: odd scans?

From: Bamm (Robert) Visscher (rvisscherat_private)
Date: Fri May 24 2002 - 13:34:47 PDT

  • Next message: Christian Vogel: "Re: continues SCAN Proxy attempt"

    Mike,
    
    Looks like you are just the innocent bystander. An unknown attacker is
    most likely "spoofing" your IP in an attempt to synflood the victims
    (who are sending the resets). Check out this excellent paper for more
    info: http://home.satx.rr.com/bejtlich/intv2-8.html
    
    Bammkkkk
    
    On Fri, 2002-05-24 at 12:16, Scott, Michael R. wrote:
    > Anyone recognize this or have a clue what they're looking for (covert
    > channel, root shell) or what tool is responsible?  The source and dest ports
    > are almost as randomly distributed across the high range as the location of
    > the source IPs are across the globe, but notice that the same two ack
    > numbers repeat across all the source IPs.
    > 
    > thanks
    > Mike
    > 
    > May 04 15:13:54.192847 213.114.155.74.10363 > A.B.24.105.32320: R 0:0(0) ack
    > 2093292673 win 0
    > May 10 10:32:02.907545 202.96.170.175.23132 > A.B.24.105.16147: R 0:0(0) ack
    > 2119353641 win 0 (DF)
    > May 10 10:33:02.244385 202.96.170.175.28393 > A.B.24.105.27350: R 0:0(0) ack
    > 2093292673 win 0 (DF)
    > May 11 17:41:25.668000 195.159.0.90.25787 > A.B.24.105.50026: R 0:0(0) ack
    > 2093292673 win 0 (DF)
    > May 12 20:57:40.114036 195.159.0.90.17655 > A.B.24.105.42560: R 0:0(0) ack
    > 2093292673 win 0 (DF) [tos 0x60]
    > May 13 02:43:49.277926 210.51.195.242.30405 > A.B.24.105.55321: R 0:0(0) ack
    > 2093292673 win 0
    > May 13 02:47:42.141686 210.51.195.242.13712 > A.B.24.105.13470: R 0:0(0) ack
    > 2119353641 win 0
    > May 13 03:08:44.392753 210.51.195.242.14624 > A.B.24.105.25786: R 0:0(0) ack
    > 2119353641 win 0
    > May 13 03:09:02.581235 210.51.195.242.21772 > A.B.24.105.55043: R 0:0(0) ack
    > 2093292673 win 0
    > May 13 03:14:07.108680 210.51.195.242.16260 > A.B.24.105.50721: R 0:0(0) ack
    > 2093292673 win 0
    > May 13 03:23:01.695751 210.51.195.242.24690 > A.B.24.105.43529: R 0:0(0) ack
    > 2093292673 win 0
    > May 13 03:30:40.841510 210.51.195.242.20326 > A.B.24.105.32961: R 0:0(0) ack
    > 2119353641 win 0
    > May 13 03:53:25.418298 195.159.0.90.28711 > A.B.24.105.54951: R 0:0(0) ack
    > 2093292673 win 0 (DF) [tos 0x60]
    > May 13 19:23:30.740548 202.103.196.69.5890 > A.B.24.105.55141: R 0:0(0) ack
    > 2093292673 win 0
    > May 14 09:14:44.181069 202.108.58.52.18598 > A.B.24.105.19788: R 0:0(0) ack
    > 2119353641 win 0
    > May 14 16:53:22.218980 195.159.0.90.14934 > A.B.24.105.42941: R 0:0(0) ack
    > 2093292673 win 0 (DF) [tos 0x60]
    > May 14 17:00:47.116523 195.159.0.90.22228 > A.B.24.105.54487: R 0:0(0) ack
    > 2093292673 win 0 (DF) [tos 0x60]
    > May 18 08:51:27.644959 218.1.1.158.2471 > A.B.24.105.49396: R 0:0(0) ack
    > 2093292673 win 0
    > May 19 02:35:23.141419 202.103.196.69.32229 > A.B.24.105.27436: R 0:0(0) ack
    > 2093292673 win 0
    > May 19 02:47:53.563776 202.103.196.61.8113 > A.B.24.105.32263: R 0:0(0) ack
    > 2093292673 win 0
    > May 19 02:55:12.054609 202.103.196.61.14270 > A.B.24.105.32852: R 0:0(0) ack
    > 2093292673 win 0
    > May 19 09:17:19.226250 218.1.1.158.26563 > A.B.24.105.35030: R 0:0(0) ack
    > 2093292673 win 0
    > May 20 20:54:03.565186 211.155.241.86.4949 > A.B.24.105.7930: R 0:0(0) ack
    > 2119353641 win 0
    > May 21 21:59:32.021667 61.139.77.80.28873 > A.B.24.105.36294: R 0:0(0) ack
    > 2093292673 win 0
    > May 21 22:01:09.809743 61.139.77.80.16712 > A.B.24.105.55967: R 0:0(0) ack
    > 2093292673 win 0
    > May 21 22:03:04.032252 61.139.77.80.20641 > A.B.24.105.24336: R 0:0(0) ack
    > 2093292673 win 0
    > May 21 22:05:35.751460 61.139.77.80.23510 > A.B.24.105.47833: R 0:0(0) ack
    > 2093292673 win 0
    > May 21 22:19:15.208975 61.139.77.80.27333 > A.B.24.105.33607: R 0:0(0) ack
    > 2119353641 win 0
    > May 21 22:30:17.176497 61.139.77.80.7683 > A.B.24.105.25473: R 0:0(0) ack
    > 2119353641 win 0
    > May 22 01:25:46.457981 61.139.77.80.21143 > A.B.24.105.34794: R 0:0(0) ack
    > 2093292673 win 0
    > May 22 01:29:13.261296 61.139.77.80.17424 > A.B.24.105.46475: R 0:0(0) ack
    > 2093292673 win 0
    > May 22 01:39:44.960026 61.139.77.80.24893 > A.B.24.105.12434: R 0:0(0) ack
    > 2119353641 win 0
    > May 22 06:54:09.159673 61.144.236.154.23977 > A.B.24.105.37501: R 0:0(0) ack
    > 2093292673 win 0
    > May 22 22:04:59.837793 211.144.65.118.18268 > A.B.24.105.32230: R 0:0(0) ack
    > 2119353641 win 0
    > May 23 16:12:32.902699 32.97.166.142.23906 > A.B.24.105.40741: R 0:0(0) ack
    > 2093292673 win 0 (DF) [tos 0x8]
    > May 24 07:27:13.613784 213.156.32.125.19650 > A.B.24.105.20404: R 0:0(0) ack
    > 1702151370 win 0
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    -- 
    Bamm (Robert) Visscher
    Senior Engineer, Managed Network Security Operations
    Ball Aerospace & Technologies Corp.
    http://www.ball.com/aerospace/index.html
    rvisscherat_private Desk: 210.734.5070 x107  Mobile: 210.240.5950 
    
    
    



    This archive was generated by hypermail 2b30 : Fri May 24 2002 - 13:34:27 PDT