Keith Pachulski wrote Monday, January 20, 2003 14:10 > Has anyone seen this behavior, if so care to share the details This won't be much help, but here is what I have. I've seen one similar ASN.1 alert in the past few days. The probe hit just one host out of a Class C - it did not use a broadcast address like yours did. The probe was against a mail server. 01/18/03-18:18:19.542110 217.207.57.98:27194 -> justonehost:161 UDP TTL:108 TOS:0x0 ID:23131 IpLen:20 DgmLen:265 Len: 245 (Payload snipped - it was identical to yours) Trigger for the alert - dgmlen 265 is greater than the packet length 245. IP Address: 217.207.57.98 HostName: mail.city-cab.org.uk descr: City Of London Citizens Advice Bureau That host generated similar probes to more than a thousand other systems that day, so I suspect it was a compromised host being used to attack others. Nothing followed this single probe, so I have no further details about it. > I orginally saw these from an internal firewall, after > setting up a snort to grab the traffic I logged the following: > > [**] weirdness ensues [**] > 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161 > UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265 > Len: 245 > 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public.. > DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0.. > 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+. > 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+.... > 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+....... > 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........ > 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+......... > 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+......... > 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+....... > 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+..... > 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+... > 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+. > 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+ > 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0... > 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............ > > I have a few internal machines sending the same queries to > the same address. > > Name: > 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net > Address: 192.0.0.192 Broadcast for print services would be an easy way for a worm to find vulnerable hosts, since so many unpatched print servers have SNMP vulnerabilities. One explanation could be a print services discovery tool, but I think this is hostile and crafted traffic because the dgmlen 265 is greater than the packet length 245. The PROTOS test suite makes use of this type of broadcast address to quickly sweep a network. Since the packets are UDP, it would not be hard to spoof multiple source addresses to mask the true attack source. http://www.cert.org/advisories/CA-2002-03.html http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise110 I guess the key here is the responses that are being sent back to the originating addresses, and the followup traffic.
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 08:02:10 PST