-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You mean in the packets themselves? Not from what I can tell. This leads me to believe that it is a scan of some sort or a poorly executed flood attack. - -----Original Message----- From: morning_wood [mailto:se_cur_ityat_private] Sent: Tuesday, June 03, 2003 3:54 PM To: intrusionsat_private; incidentsat_private; sec_slaveat_private Subject: Re: Help with an odd log file... is there no content? - ----- Original Message ----- From: <sec_slaveat_private> To: <intrusionsat_private>; <incidentsat_private> Sent: Tuesday, June 03, 2003 2:03 PM Subject: Help with an odd log file... > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello. > > I am looking for some assistance in trying to identify the nature of > a suspected scan/attack against my corporate network. > > The scan/attack includes spoofed source addresses that cover a wide range > of IP networks. There is also a relationship between source and > destination addresses and ports for each entry. Each combination of > address and port information appears between 3 and 8 times, all trickled > in over a 3 day period. Normally, something like this might be > identified as a TCP SYN SCAN, but the traffic is coming in too slowly and > the destination > ports are all upper level ports (as you can see). > > The pattern is one with which I am not familiar and would appreciate > your assistance in identifying. > > Thnx, > > > > > Sorted by source IP: > > Date/Time Source IP/Port Dest IP/Port > May 25 13:53:48 2.66.161.64:55518 XX6.X37.153.7:61323 > May 26 04:34:53 2.66.161.64:55518 XX6.X37.153.7:61323 > May 26 23:29:58 2.66.161.64:55518 XX6.X37.153.7:61323 > May 27 08:20:55 2.66.161.64:55518 XX6.X37.153.7:61323 > May 27 15:39:08 2.66.161.64:55518 XX6.X37.153.7:61323 > May 26 12:03:34 2.71.250.0:54845 XX6.X37.54.171:5929 > May 26 20:54:18 2.71.250.0:54845 XX6.X37.54.171:5929 > May 27 16:49:56 2.71.250.0:54845 XX6.X37.54.171:5929 > May 25 06:18:33 2.86.7.241:56883 XX6.X37.41.151:21012 > May 25 10:16:48 2.86.7.241:56883 XX6.X37.41.151:21012 > May 26 05:04:11 2.86.7.241:56883 XX6.X37.41.151:21012 > May 27 07:28:50 2.86.7.241:56883 XX6.X37.41.151:21012 > May 27 15:37:04 2.86.7.241:56883 XX6.X37.41.151:21012 > May 27 16:28:04 2.86.7.241:56883 XX6.X37.41.151:21012 > May 27 10:11:14 2.95.43.255:12430 XX6.X37.29.228:9577 > May 25 08:30:38 2.95.43.255:12430 XX6.X37.29.228:9577 > May 26 07:56:32 2.95.43.255:12430 XX6.X37.29.228:9577 > May 26 18:55:34 2.95.43.255:12430 XX6.X37.29.228:9577 > May 26 20:22:41 2.95.43.255:12430 XX6.X37.29.228:9577 > Etc. > > ---break for brevity's sake--- > 6353 lines removed > > May 26 05:38:31 221.237.154.247:45635 XX6.X37.48.56:8199 > May 26 08:13:10 221.237.154.247:45635 XX6.X37.48.56:8199 > May 26 09:23:33 221.237.154.247:45635 XX6.X37.48.56:8199 > May 26 17:30:12 221.237.154.247:45635 XX6.X37.48.56:8199 > May 27 09:55:22 221.237.154.247:45635 XX6.X37.48.56:8199 > May 25 18:02:24 222.6.30.78:55945 XX6.X37.12.103:32430 > May 26 23:28:25 222.6.30.78:55945 XX6.X37.12.103:32430 > May 27 03:23:43 222.6.30.78:55945 XX6.X37.12.103:32430 > May 26 09:12:56 222.12.8.159:40062 XX6.X37.39.135:43096 > May 26 23:02:06 222.12.8.159:40062 XX6.X37.39.135:43096 > May 26 23:53:30 222.12.8.159:40062 XX6.X37.39.135:43096 > May 27 13:32:13 222.12.8.159:40062 XX6.X37.39.135:43096 > May 26 12:28:58 222.20.24.164:3281 XX6.X37.21.175:27751 > May 26 21:26:42 222.20.24.164:3281 XX6.X37.21.175:27751 > May 26 22:10:47 222.20.24.164:3281 XX6.X37.21.175:27751 > May 27 11:04:40 222.20.24.164:3281 XX6.X37.21.175:27751 > May 27 13:31:51 222.20.24.164:3281 XX6.X37.21.175:27751 > May 27 15:36:37 222.20.24.164:3281 XX6.X37.21.175:27751 > Etc. > > > > Captured Frame Sample: > > Frame 1 (66 bytes on wire, 66 bytes captured) > Arrival Time: May 27, 2003 14:13:58.220746000 > Time delta from previous packet: 0.000000000 seconds > Time relative to first packet: 0.000000000 seconds > Frame Number: 1 > Packet Length: 66 bytes > Capture Length: 66 bytes > Ethernet II, Src: 00:00:0c:95:72:bd, Dst: 00:60:91:0b:45:35 > Destination: 00:60:98:0d:45:35 (3Com_0d:45:35) > Source: 00:00:0c:95:78:bd (Cisco_95:78:bd) > Type: IP (0x0800) > Internet Protocol, Src Addr: 155.128.250.228 (155.128.250.228), Dst Addr: > XX6.X37.151.97 (XX6.X37.151.97) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 52 > Identification: 0xb82b > Flags: 0x00 > .0.. = Don't fragment: Not set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 118 > Protocol: TCP (0x06) > Header checksum: 0xc248 (correct) > Source: 155.128.250.228 (155.128.250.228) > Destination: XX6.X37.151.97 (XX6.X37.151.97) > Transmission Control Protocol, Src Port: 866 (866), Dst Port: 26469 (26469), > Seq: 1409168989, Ack: 0, Len: 0 > Source port: 866 (866) > Destination port: 26469 (26469) > Sequence number: 1409168989 > Header length: 32 bytes > Flags: 0x0002 (SYN) > 0... .... = Congestion Window Reduced (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...0 .... = Acknowledgment: Not set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..1. = Syn: Set > .... ...0 = Fin: Not set > Window size: 55808 > Checksum: 0xd5a2 (correct) > Options: (12 bytes) > Maximum segment size: 1460 bytes > NOP > Window scale: 2 (multiply by 4) > NOP > NOP > SACK permitted > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.3 > > wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA > oIDwlD0AxJojtPAhIdlunJmyAG1R > =US/J > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > https://www.hushmail.com/services.php?subloc=messenger&l=434 > > Big $$$ to be made with the HushMail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > > -------------------------------------------------------------------------- - -- > -------------------------------------------------------------------------- - -- > > -----BEGIN PGP SIGNATURE----- Version: PGP Freeware, Ver 6.5.8CKT - Build 8 Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPt4N55DnOfS48mrdEQLqkQCfdgqEsvrkOpYzGJLWcHcQadrcrFoAnRhU mIaajLY5ddU4OHVQTG8yLE7+ =FsGD -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 08:33:23 PDT