Re: Help with an odd log file...

From: sec_slaveat_private
Date: Wed Jun 04 2003 - 08:24:32 PDT

Next message: Faisal: "FW: File Folders Own Changed"

Previous message: Brad Bemis: "RE: Help with an odd log file..."
Maybe in reply to: sec_slaveat_private: "Help with an odd log file..."
Next in thread: Fabio Panigatti: "Re: Help with an odd log file..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

No, there is no payload.  


On Tue, 03 Jun 2003 15:54:08 -0700 morning_wood <se_cur_ityat_private>
wrote:
>is there no content?
>
>
>----- Original Message -----
>From: <sec_slaveat_private>
>To: <intrusionsat_private>; <incidentsat_private>
>Sent: Tuesday, June 03, 2003 2:03 PM
>Subject: Help with an odd log file...
>
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello.
>>
>> I am looking for some assistance in trying to identify the nature
>of
>> a suspected scan/attack against my corporate network.
>>
>> The scan/attack includes spoofed source addresses that cover a
>wide range
>> of IP networks.  There is also a relationship between source and
>> destination addresses and ports for each entry.  Each combination
>of
>> address and port information appears between 3 and 8 times, all
>trickled
>> in over a 3 day period.  Normally, something like this might be
>identified
>> as a TCP SYN SCAN, but the traffic is coming in too slowly and
>the
>destination
>> ports are all upper level ports (as you can see).
>>
>> The pattern is one with which I am not familiar and would appreciate
>> your assistance in identifying.
>>
>> Thnx,
>>
>>
>>
>>
>> Sorted by source IP:
>>
>> Date/Time Source IP/Port         Dest IP/Port
>> May 25 13:53:48 2.66.161.64:55518      XX6.X37.153.7:61323
>> May 26 04:34:53 2.66.161.64:55518      XX6.X37.153.7:61323
>> May 26 23:29:58 2.66.161.64:55518      XX6.X37.153.7:61323
>> May 27 08:20:55 2.66.161.64:55518      XX6.X37.153.7:61323
>> May 27 15:39:08 2.66.161.64:55518      XX6.X37.153.7:61323
>> May 26 12:03:34 2.71.250.0:54845       XX6.X37.54.171:5929
>> May 26 20:54:18 2.71.250.0:54845       XX6.X37.54.171:5929
>> May 27 16:49:56  2.71.250.0:54845       XX6.X37.54.171:5929
>> May 25 06:18:33  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 25 10:16:48  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 26 05:04:11  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 27 07:28:50  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 27 15:37:04  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 27 16:28:04  2.86.7.241:56883       XX6.X37.41.151:21012
>> May 27 10:11:14 2.95.43.255:12430      XX6.X37.29.228:9577
>> May 25 08:30:38 2.95.43.255:12430      XX6.X37.29.228:9577
>> May 26 07:56:32 2.95.43.255:12430      XX6.X37.29.228:9577
>> May 26 18:55:34 2.95.43.255:12430      XX6.X37.29.228:9577
>> May 26 20:22:41 2.95.43.255:12430      XX6.X37.29.228:9577
>> Etc.
>>
>>                 ---break for brevity's sake---
>>                       6353 lines removed
>>
>> May 26 05:38:31 221.237.154.247:45635 XX6.X37.48.56:8199
>> May 26 08:13:10 221.237.154.247:45635 XX6.X37.48.56:8199
>> May 26 09:23:33 221.237.154.247:45635 XX6.X37.48.56:8199
>> May 26 17:30:12 221.237.154.247:45635 XX6.X37.48.56:8199
>> May 27 09:55:22 221.237.154.247:45635 XX6.X37.48.56:8199
>> May 25 18:02:24 222.6.30.78:55945 XX6.X37.12.103:32430
>> May 26 23:28:25 222.6.30.78:55945 XX6.X37.12.103:32430
>> May 27 03:23:43 222.6.30.78:55945 XX6.X37.12.103:32430
>> May 26 09:12:56 222.12.8.159:40062 XX6.X37.39.135:43096
>> May 26 23:02:06 222.12.8.159:40062 XX6.X37.39.135:43096
>> May 26 23:53:30 222.12.8.159:40062 XX6.X37.39.135:43096
>> May 27 13:32:13 222.12.8.159:40062 XX6.X37.39.135:43096
>> May 26 12:28:58 222.20.24.164:3281 XX6.X37.21.175:27751
>> May 26 21:26:42 222.20.24.164:3281 XX6.X37.21.175:27751
>> May 26 22:10:47 222.20.24.164:3281 XX6.X37.21.175:27751
>> May 27 11:04:40 222.20.24.164:3281 XX6.X37.21.175:27751
>> May 27 13:31:51 222.20.24.164:3281 XX6.X37.21.175:27751
>> May 27 15:36:37 222.20.24.164:3281 XX6.X37.21.175:27751
>> Etc.
>>
>>
>>
>> Captured Frame Sample:
>>
>> Frame 1 (66 bytes on wire, 66 bytes captured)
>>     Arrival Time: May 27, 2003 14:13:58.220746000
>>     Time delta from previous packet: 0.000000000 seconds
>>     Time relative to first packet: 0.000000000 seconds
>>     Frame Number: 1
>>     Packet Length: 66 bytes
>>     Capture Length: 66 bytes
>> Ethernet II, Src: 00:00:0c:95:72:bd, Dst: 00:60:91:0b:45:35
>>     Destination: 00:60:98:0d:45:35 (3Com_0d:45:35)
>>     Source: 00:00:0c:95:78:bd (Cisco_95:78:bd)
>>     Type: IP (0x0800)
>> Internet Protocol, Src Addr: 155.128.250.228 (155.128.250.228),
> Dst Addr:
>> XX6.X37.151.97 (XX6.X37.151.97)
>>     Version: 4
>>     Header length: 20 bytes
>>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
>0x00)
>>         0000 00.. = Differentiated Services Codepoint: Default
>(0x00)
>>         .... ..0. = ECN-Capable Transport (ECT): 0
>>         .... ...0 = ECN-CE: 0
>>     Total Length: 52
>>     Identification: 0xb82b
>>     Flags: 0x00
>>         .0.. = Don't fragment: Not set
>>         ..0. = More fragments: Not set
>>     Fragment offset: 0
>>     Time to live: 118
>>     Protocol: TCP (0x06)
>>     Header checksum: 0xc248 (correct)
>>     Source: 155.128.250.228 (155.128.250.228)
>>     Destination: XX6.X37.151.97 (XX6.X37.151.97)
>> Transmission Control Protocol, Src Port: 866 (866), Dst Port:
>26469
>(26469),
>>  Seq: 1409168989, Ack: 0, Len: 0
>>     Source port: 866 (866)
>>     Destination port: 26469 (26469)
>>     Sequence number: 1409168989
>>     Header length: 32 bytes
>>     Flags: 0x0002 (SYN)
>>         0... .... = Congestion Window Reduced (CWR): Not set
>>         .0.. .... = ECN-Echo: Not set
>>         ..0. .... = Urgent: Not set
>>         ...0 .... = Acknowledgment: Not set
>>         .... 0... = Push: Not set
>>         .... .0.. = Reset: Not set
>>         .... ..1. = Syn: Set
>>         .... ...0 = Fin: Not set
>>     Window size: 55808
>>     Checksum: 0xd5a2 (correct)
>>     Options: (12 bytes)
>>         Maximum segment size: 1460 bytes
>>         NOP
>>         Window scale: 2 (multiply by 4)
>>         NOP
>>         NOP
>>         SACK permitted
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 2.3
>>
>> wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA
>> oIDwlD0AxJojtPAhIdlunJmyAG1R
>> =US/J
>> -----END PGP SIGNATURE-----
>>
>>
>>
>>
>> Concerned about your privacy? Follow this link to get
>> FREE encrypted email: https://www.hushmail.com/?l=2
>>
>> Free, ultra-private instant messaging with Hush Messenger
>> https://www.hushmail.com/services.php?subloc=messenger&l=434
>>
>> Big $$$ to be made with the HushMail Affiliate Program:
>> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>>
>> --------------------------------------------------------------
>------------
>--
>> --------------------------------------------------------------
>------------
>--
>>
>>
>
>



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Faisal: "FW: File Folders Own Changed"
Previous message: Brad Bemis: "RE: Help with an odd log file..."
Maybe in reply to: sec_slaveat_private: "Help with an odd log file..."
Next in thread: Fabio Panigatti: "Re: Help with an odd log file..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 08:37:10 PDT