Ideas? Port 21 SYNs, slow

From: Bubsy (pizzapoweredat_private)
Date: Wed Jul 10 2002 - 19:41:08 PDT

Next message: Graham, Randy (RAW) : "RE: Code Red and other anomalous activity from 1433"

Previous message: Thomas Cannon: "Re: Code Red and other anomalous activity from 1433"
Next in thread: Jason Giglio: "Re: Ideas? Port 21 SYNs, slow"
Reply: Jason Giglio: "Re: Ideas? Port 21 SYNs, slow"
Reply: Bubsy: "Re: Ideas? Port 21 SYNs, slow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) I would like to pick your collective brains regarding what I believe is an attack of some form, even if it is very slow. I noticed a day and a half worth of continuous port 21 SYNs. Because there were never any completed connections, this would not show up in the FTP logs, but I watch all traffic, maybe I need a life :) . I noticed an unusual amount of FTP port SYNs that I was acknowledging, which were being ignored. One or more SYNs would come in at about the same time, to which I would respond with three acknowledgements per SYN and then quit. Many of these incoming SYNs had the same checksum. Strange, maybe forgery? 65.222.227.193 was the IP of the first FTP SYN attempts, I portscanned that IP and found a webserver (reverse DNS to deadarab.com) which was selling anti-Osama goodies and other things. I also found PcAnywhere, LDAP and many other things, and the FTP SYNs continued. I later rescanned the same IP and found that the services were taken down. No conceivable valid WHOIS contact info, no surprise. More strangeness. I said to myself "Hey me, is this a DDos or is this meant for me?"? I assumed this was intended for me because of the disappearing services on the initial offending IP. I blocked 65.222.227.* and watched. Then came SYNs from 65.222.225.3. I allowed a few to be acknowledged and dumped them to compare to the first ones. From 65.222.227.193 0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 08 ..Ü.p..Zî....E. 0x0010 00 28 A1 CE 00 00 F3 06-3D D3 41 DE E3 C1 C0 A8 .(¡Î..ó.=ÓAÞãÁÀ¨ 0x0020 01 DE 27 3B 00 15 17 A0-00 00 00 00 00 00 50 02 .Þ';... ......P. 0x0030 FF FF 88 CC 00 00 88 88-88 88 88 88 88 88 88 88 ÿÿˆÌ..ˆˆˆˆˆˆˆˆˆˆ new one from 65.222.225.3 0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 08 ..Ü.p..Zî....E. 0x0010 00 28 CA 6B 00 00 F3 06-17 F4 41 DE E1 03 C0 A8 .(Êk..ó..ôAÞá.À¨ 0x0020 01 DE 48 00 00 15 03 92-00 00 00 00 00 00 50 02 .ÞH....’......P. 0x0030 FF FF 7E D3 00 00 88 88-88 88 88 88 88 88 88 88 ÿÿ~Ó..ˆˆˆˆˆˆˆˆˆˆ Hmm. Oh yes I am 127.0.0.1 :) of course. Now with 65.222.225.* blocked, I decided to WHOIS them, and I got the idea that some admin or network guy had too much time on his (or her, I'm not sexist) hands. ipw: Query: !NETBLK-UU-65-222-224 DIOS / Maryland Online Network (NETBLK-UU-65-222-224) 3234 Eastern Avenue Baltimore, MD 21224 US Netname: UU-65-222-224 Netblock: 65.222.224.0 - 65.222.239.255 Maintainer: DIOS Coordinator: Kluver, Robert (RK933-ARIN) adminat_private 410-558-0320 In the next hour, similar stuff came from these IPs. 65.222.225.3 65.222.224.2 65.207.91.38 65.222.227.1 65.222.227.58 65.222.227.193 65.222.227.255 (yeah, nice IP there) and 212.169.100.130 The two odd ones come to: ipw: Query: net 65.207.91.38 UUNET Technologies, Inc. (NETBLK-UUNET65) 3060 Williams Drive, Suite 601 Fairfax, VA 22031 US Netname: UUNET65 Netblock: 65.192.0.0 - 65.223.255.255 Maintainer: UU and ipw: Query: 212.169.100.130 inetnum: 212.169.100.0 - 212.169.100.255 netname: NO-NETCOM-CUST-NEXTFRAME descr: Customer Net for Nextframe AS country: NO admin-c: MH20735-RIPE tech-c: NGH3-RIPE status: ASSIGNED PA which rev. DNSs to cursed.darkisp.net, which has a website which looks to me like a typical shell etc. machine, which makes sense if the guy (or gal) has a shell and wanted to see if I blocked his nets. The last set of whatever this was came as a group attempt, which I logged in an attempt to spot a pattern. I'm including an excerpt from my log to see if anyone has any ideas on what this might be. If anyone has any ideas, I would be curious to hear them. Whatever this is appears to be designed to defeat traditional logs by not actually completing a connection, and by being slow enough as to not establish a tangible pattern. I also assume that the packets were not redirected, because shortly after I would block one IP, a new IP would start in, makes sense if the recipient saw the acks stop. I included the tail end of the log, all "attacks" ended at the endtime of my log. Thanks for your ideas people! #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info 2002-07-09 14:34:43 DROP TCP 127.0.0.1 65.222.225.3 21 4180 40 A 4110057646 381616129 16616 - - - 2002-07-09 14:36:23 DROP TCP 127.0.0.1 65.222.224.2 21 20236 40 A 4134902085 3394306049 16616 - - - 2002-07-09 14:37:16 DROP TCP 127.0.0.1 65.222.225.3 21 41990 40 A 4148384846 2762276865 16616 - - - 2002-07-09 14:39:49 DROP TCP 127.0.0.1 65.222.225.3 21 65232 40 A 4186694867 1689255937 16616 - - - 2002-07-09 14:42:23 DROP TCP 127.0.0.1 65.222.225.3 21 5443 40 A 4225090877 2587623425 16616 - - - 2002-07-09 14:44:56 DROP TCP 127.0.0.1 65.222.225.3 21 20112 40 A 4263412809 56098817 16616 - - - 2002-07-09 14:47:29 DROP TCP 127.0.0.1 65.222.225.3 21 57345 40 A 6764770 2667642881 16616 - - - 2002-07-09 15:07:56 DROP TCP 127.0.0.1 65.222.225.3 21 59280 40 A 313933308 2912026625 16616 - - - 2002-07-09 15:10:30 DROP TCP 127.0.0.1 65.222.225.3 21 11686 40 A 352234325 1913913345 16616 - - - 2002-07-09 15:14:16 DROP TCP 127.0.0.1 65.222.225.3 21 3327 40 A 408857607 3624730625 16616 - - - 2002-07-09 15:14:45 DROP TCP 127.0.0.1 65.207.91.38 21 65376 40 A 416115621 619642881 16616 - - - 2002-07-09 15:18:06 DROP TCP 127.0.0.1 65.222.225.3 21 26290 40 A 466441213 2279211009 16616 - - - 2002-07-09 15:23:49 DROP TCP 127.0.0.1 65.222.227.1 21 4956 40 A 552137575 1170931713 16616 - - - 2002-07-09 15:24:29 DROP TCP 127.0.0.1 65.222.227.58 21 16132 40 A 562152023 2356543489 16616 - - - 2002-07-09 15:25:28 DROP TCP 127.0.0.1 65.222.227.193 21 34760 40 A 576941514 3932422145 16616 - - - 2002-07-09 15:27:39 DROP TCP 127.0.0.1 65.222.227.1 21 25326 40 A 609659434 4036886529 16616 - - - 2002-07-09 15:28:19 DROP TCP 127.0.0.1 65.222.227.58 21 64399 40 A 619689148 4258922497 16616 - - - 2002-07-09 15:29:18 DROP TCP 127.0.0.1 65.222.227.193 21 50111 40 A 634455459 2386165761 16616 - - - 2002-07-09 15:31:29 DROP TCP 127.0.0.1 65.222.227.1 21 26659 40 A 667182451 804323329 16616 - - - 2002-07-09 15:32:09 DROP TCP 127.0.0.1 65.222.227.58 21 60889 40 A 677316192 4153802753 16616 - - - 2002-07-09 15:33:07 DROP TCP 127.0.0.1 65.222.227.193 21 25896 40 A 691866866 3945267201 16616 - - - 2002-07-09 15:35:19 DROP TCP 127.0.0.1 65.222.227.1 21 8308 40 A 724771123 1846280193 16616 - - - 2002-07-09 15:35:59 DROP TCP 127.0.0.1 65.222.227.58 21 11133 40 A 734953939 2234843137 16616 - - - 2002-07-09 15:36:57 DROP TCP 127.0.0.1 65.222.227.193 21 59740 40 A 749290458 75169793 16616 - - - 2002-07-09 15:39:08 DROP TCP 127.0.0.1 65.222.227.1 21 48063 40 A 782099076 732954625 16616 - - - 2002-07-09 15:39:49 DROP TCP 127.0.0.1 65.222.227.58 21 36191 40 A 792386019 2452226049 16616 - - - 2002-07-09 15:40:46 DROP TCP 127.0.0.1 65.222.227.193 21 55307 40 A 806776048 3227779073 16616 - - - 2002-07-09 15:42:59 DROP TCP 127.0.0.1 65.222.227.1 21 40638 40 A 839891034 3176071169 16616 - - - 2002-07-09 15:43:39 DROP TCP 127.0.0.1 65.222.227.58 21 1761 40 A 850012211 2602893313 16616 - - - 2002-07-09 15:44:36 DROP TCP 127.0.0.1 65.222.227.193 21 19276 40 A 864273794 731185153 16616 - - - 2002-07-09 15:47:24 DROP TCP 127.0.0.1 65.222.227.1 21 65154 40 A 906143613 659161089 16616 - - - 2002-07-09 15:48:16 DROP TCP 127.0.0.1 65.222.227.58 21 5601 40 A 919156152 3022585857 16616 - - - 2002-07-09 15:49:32 DROP TCP 127.0.0.1 65.222.227.193 21 37316 40 A 938220005 893845505 16616 - - - 2002-07-09 15:50:38 DROP TCP 127.0.0.1 65.222.227.255 21 59731 40 A 954865216 3894345729 16616 - - - 2002-07-09 15:52:31 DROP TCP 127.0.0.1 65.222.227.1 21 59503 40 A 983194631 2775973889 16616 - - - 2002-07-09 15:53:20 DROP TCP 127.0.0.1 65.222.227.58 21 19743 40 A 995403697 896466945 16616 - - - 2002-07-09 15:54:38 DROP TCP 127.0.0.1 65.222.227.193 21 16729 40 A 1014842293 3790274561 16616 - - - 2002-07-09 15:55:44 DROP TCP 127.0.0.1 65.222.227.255 21 28979 40 A 1031448608 830930945 16616 - - - 2002-07-09 15:57:38 DROP TCP 127.0.0.1 65.222.227.1 21 7554 40 A 1059961455 3073376257 16616 - - - 2002-07-09 15:58:28 DROP TCP 127.0.0.1 65.222.227.58 21 10239 40 A 1072298522 1625358337 16616 - - - 2002-07-09 15:59:44 DROP TCP 127.0.0.1 65.222.227.193 21 40606 40 A 1091370715 1573912577 16616 - - - 2002-07-09 16:00:49 DROP TCP 127.0.0.1 65.222.227.255 21 24397 40 A 1107641688 2339176449 16616 - - - 2002-07-09 16:02:46 DROP TCP 127.0.0.1 65.222.227.1 21 4631 40 A 1137074499 1547239425 16616 - - - 2002-07-09 16:03:35 DROP TCP 127.0.0.1 65.222.227.58 21 24265 40 A 1149237606 2326331393 16616 - - - 2002-07-09 16:04:50 DROP TCP 127.0.0.1 65.222.227.193 21 46334 40 A 1167975572 1481703425 16616 - - - 2002-07-09 16:05:54 DROP TCP 127.0.0.1 65.222.227.255 21 43932 40 A 1184125492 2120286209 16616 - - - 2002-07-09 16:07:54 DROP TCP 127.0.0.1 65.222.227.1 21 18067 40 A 1213983467 2356871169 16616 - - - 2002-07-09 16:08:43 DROP TCP 127.0.0.1 65.222.227.58 21 25766 40 A 1226378215 3776249857 16616 - - - 2002-07-09 16:09:54 DROP TCP 127.0.0.1 65.222.227.193 21 34759 40 A 1244087238 1134624769 16616 - - - 2002-07-09 16:11:00 DROP TCP 127.0.0.1 65.222.227.255 21 32819 40 A 1260652350 1536950273 16616 - - - 2002-07-09 16:12:59 DROP TCP 127.0.0.1 65.222.227.1 21 30896 40 A 1290440103 57933825 16616 - - - 2002-07-09 16:13:50 DROP TCP 127.0.0.1 65.222.227.58 21 27243 40 A 1303242109 1163526145 16616 - - - 2002-07-09 16:15:01 DROP TCP 127.0.0.1 65.222.227.193 21 4791 40 A 1321009627 51183617 16616 - - - 2002-07-09 16:16:07 DROP TCP 127.0.0.1 65.222.227.255 21 16114 40 A 1337329759 1207566337 16616 - - - 2002-07-09 16:18:05 DROP TCP 127.0.0.1 65.222.227.1 21 60937 40 A 1367027709 2753101825 16616 - - - 2002-07-09 16:18:57 DROP TCP 127.0.0.1 65.222.227.58 21 7945 40 A 1379977654 1515520001 16616 - - - 2002-07-09 16:20:08 DROP TCP 127.0.0.1 65.222.227.193 21 58487 40 A 1397713040 1683357697 16616 - - - 2002-07-09 16:21:13 DROP TCP 127.0.0.1 65.222.227.255 21 7852 40 A 1414079077 1374027777 16616 - - - 2002-07-09 16:23:13 DROP TCP 127.0.0.1 65.222.227.1 21 31829 40 A 1444010446 1832910849 16616 - - - 2002-07-09 16:24:03 DROP TCP 127.0.0.1 65.222.227.58 21 42134 40 A 1456597809 2370043905 16616 - - - 2002-07-09 16:25:15 DROP TCP 127.0.0.1 65.222.227.193 21 48191 40 A 1474677036 1793261569 16616 - - - 2002-07-09 16:26:19 DROP TCP 127.0.0.1 65.222.227.255 21 18985 40 A 1490531613 4274192385 16616 - - - 2002-07-09 16:28:20 DROP TCP 127.0.0.1 65.222.227.1 21 58435 40 A 1520806308 628293633 16616 - - - 2002-07-09 16:29:09 DROP TCP 127.0.0.1 65.222.227.58 21 33063 40 A 1533094769 587792385 16616 - - - 2002-07-09 16:30:22 DROP TCP 127.0.0.1 65.222.227.193 21 34872 40 A 1551511862 3294625793 16616 - - - 2002-07-09 16:31:24 DROP TCP 127.0.0.1 65.222.227.255 21 55246 40 A 1566882639 2254635009 16616 - - - 2002-07-09 16:33:26 DROP TCP 127.0.0.1 65.222.227.1 21 282 40 A 1597492247 2361720833 16616 - - - 2002-07-09 16:34:15 DROP TCP 127.0.0.1 65.222.227.58 21 8368 40 A 1609821078 2197422081 16616 - - - 2002-07-09 16:35:30 DROP TCP 127.0.0.1 65.222.227.193 21 22093 40 A 1628558895 2873360385 16616 - - - 2002-07-09 16:36:29 DROP TCP 127.0.0.1 65.222.227.255 21 21506 40 A 1643280221 723320833 16616 - - - 2002-07-09 16:38:32 DROP TCP 127.0.0.1 65.222.227.1 21 49495 40 A 1673999831 1337917441 16616 - - - 2002-07-09 16:39:23 DROP TCP 127.0.0.1 65.222.227.58 21 2630 40 A 1686805847 2673868801 16616 - - - 2002-07-09 16:40:38 DROP TCP 127.0.0.1 65.222.227.193 21 47099 40 A 1705561276 1971650561 16616 - - - 2002-07-09 16:41:34 DROP TCP 127.0.0.1 65.222.227.255 21 12541 40 A 1719788892 3247374337 16616 - - - 2002-07-09 16:43:39 DROP TCP 127.0.0.1 65.222.227.1 21 20892 40 A 1750849323 4029939713 16616 - - - 2002-07-09 16:44:28 DROP TCP 127.0.0.1 65.222.227.58 21 56619 40 A 1763300043 62849025 16616 - - - 2002-07-09 16:45:45 DROP TCP 127.0.0.1 65.222.227.193 21 53663 40 A 1782386724 3809280001 16616 - - - 2002-07-09 16:46:40 DROP TCP 127.0.0.1 65.222.227.255 21 44093 40 A 1796280647 1961426945 16616 - - - 2002-07-09 16:48:45 DROP TCP 127.0.0.1 65.222.227.1 21 43060 40 A 1827539914 3206152193 16616 - - - 2002-07-09 16:49:35 DROP TCP 127.0.0.1 65.222.227.58 21 40576 40 A 1840015350 2806906881 16616 - - - 2002-07-09 16:50:52 DROP TCP 127.0.0.1 65.222.227.193 21 38179 40 A 1859204304 2213150721 16616 - - - 2002-07-09 16:51:46 DROP TCP 127.0.0.1 65.222.227.255 21 14921 40 A 1872870200 1129709569 16616 - - - 2002-07-09 16:53:51 DROP TCP 127.0.0.1 65.222.227.1 21 31818 40 A 1904111567 1253048321 16616 - - - 2002-07-09 16:54:42 DROP TCP 127.0.0.1 65.222.227.58 21 50804 40 A 1916875803 2446655489 16616 - - - 2002-07-09 16:55:59 DROP TCP 127.0.0.1 65.222.227.193 21 331 40 A 1936045330 1610153985 16616 - - - 2002-07-09 16:56:53 DROP TCP 127.0.0.1 65.222.227.255 21 22664 40 A 1949656360 1375797249 16616 - - - 2002-07-09 16:58:58 DROP TCP 127.0.0.1 65.222.227.1 21 53434 40 A 1980967895 720175105 16616 - - - 2002-07-09 16:59:48 DROP TCP 127.0.0.1 65.222.227.58 21 16960 40 A 1993475934 622592001 16616 - - - 2002-07-09 17:01:06 DROP TCP 127.0.0.1 65.222.227.193 21 30064 40 A 2012899853 3771072513 16616 - - - 2002-07-09 17:01:58 DROP TCP 127.0.0.1 65.222.227.255 21 14187 40 A 2025993664 1508900865 16616 - - - 2002-07-09 17:04:05 DROP TCP 127.0.0.1 65.222.227.1 21 43269 40 A 2057678046 2351104001 16616 - - - 2002-07-09 17:04:55 DROP TCP 127.0.0.1 65.222.227.58 21 62018 40 A 2070227715 157810689 16616 - - - 2002-07-09 17:06:12 DROP TCP 127.0.0.1 65.222.227.193 21 60323 40 A 2089456089 2509635585 16616 - - - 2002-07-09 17:07:04 DROP TCP 127.0.0.1 65.222.227.255 21 38491 40 A 2102571253 3855876097 16616 - - - 2002-07-09 17:09:11 DROP TCP 127.0.0.1 65.222.227.1 21 6494 40 A 2134375022 3345350657 16616 - - - 2002-07-09 17:10:02 DROP TCP 127.0.0.1 65.222.227.58 21 25453 40 A 2147059546 226361345 16616 - - - 2002-07-09 17:11:18 DROP TCP 127.0.0.1 65.222.227.193 21 1746 40 A 2166074335 1824260097 16616 - - - 2002-07-09 17:12:11 DROP TCP 127.0.0.1 65.222.227.255 21 11900 40 A 2179429687 2000224257 16616 - - - ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Graham, Randy (RAW) : "RE: Code Red and other anomalous activity from 1433"
Previous message: Thomas Cannon: "Re: Code Red and other anomalous activity from 1433"
Next in thread: Jason Giglio: "Re: Ideas? Port 21 SYNs, slow"
Reply: Jason Giglio: "Re: Ideas? Port 21 SYNs, slow"
Reply: Bubsy: "Re: Ideas? Port 21 SYNs, slow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 14:35:07 PDT