Interesting Logs to port 8941

From: Ryan Yagatich (ryanyat_private)
Date: Wed Oct 09 2002 - 05:33:19 PDT

Next message: Boutros: "Re: Forensics CD"

Previous message: Pluto: "CfP: 19C3 Chaos Communication Congress 2002"
Next in thread: Ryan Yagatich: "Re: Interesting Logs to port 8941"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
	Today I've noticed some interesting activity on my dialup 
connection, particularly that to port 8941 via TCP. Here is such example 
data:


<LOG>
	<TIME> Oct  7 10:57:45 </TIME>
	<IN> ppp0 </IN>
	<OUT> </OUT>
	<MAC> </MAC>
	<SRC> 130.156.129.254 </SRC>
	<DST> 216.144.8.150 </DST>
	<LEN> 48 </LEN>
	<TOS> 0x00 </TOS>
	<PREC> 0x00 </PREC>
	<TTL> 108 </TTL>
	<ID> 39816 </ID>
	<FLAGS> DF SYN </FLAGS>
	<PROTO> TCP </PROTO>
	<SPT> 3446 </SPT>
	<DPT> 8941 </DPT>
	<WINDOW> 16384 </WINDOW>
	<RES> 0x00 </RES>
	<URGP> 0 </URGP>
</LOG>

Here's what I've found out:
	1) There are 3 packets being sent (SYN + DF)
	2) The intervals are always the same:
		3 seconds between packets 1-2
		6 seconds between packets 2-3
	3) All have length of 48 (since just the SYN)
	

I really have no information about it other than what is listed above and 
that the timeframe is as follows:
	Start: 10.07.2002 @ 10:57:45 EST
	End:   10.07.2002 @ 17:55:56 EST
There are 210 access attempts with 68 unique hosts 
	these 3 hosts only had 1 packet sent a piece:
		66.7.139.165 
		62.30.142.89 
		172.153.168.26

the logs that were taken from such traffic can be found at the following 
URL:
	http://www.pantek.com/~ryany/log
they are the following:
	rejected.log (42447 bytes)
		-> all of the records of the attempted connections
	tcpdump.out (216 bytes)
		-> 3 packets from a particular connection that i was 
		   able to trap		

If anyone has either seen any of this before, or has a clue of what it is, 
please let me know, especially since i don't have much to go by (haven't 
setup netcat to listen on that port yet). All times are EST.

Thanks,
Ryan Yagatich  <supportat_private>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
DE C6 02 66 7C AB 95 9E 97 1F B0 BC
8C 9F 8A 28 BE 0A A3 93 95 70 EF 12
===================================
 A fool must now and then be right
           by chance.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Boutros: "Re: Forensics CD"
Previous message: Pluto: "CfP: 19C3 Chaos Communication Congress 2002"
Next in thread: Ryan Yagatich: "Re: Interesting Logs to port 8941"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 15:58:01 PDT