I would like to go ahead and resend this email I had sent to intrusions@incidents on June 4th in the event it may add some helpful info on this window size 55808 thing. In the capture below it does in fact show a window size of 55808 but the only thing I logged during this time was from a single IP address. And if you look at the payload it is different than the ones we see now. Dave -----Original Message----- From: Taylor, David Sent: Wednesday, June 04, 2003 8:58 AM To: intrusionsat_private Subject: IANA Reserved IP Source scans Over the last few days I have noticed a system periodically scanning my network. Has anyone else seen anything like this? Comes from the same IP, same Source Port and Same destination port. The scans are sporadic but persistent. Thanks, David Taylor Network Manager School of Nursing University of Pennsylvania http://www.nursing.upenn.edu/otis TIMESTAMP SOURCE IP DEST PORT COUNT SOURCE PORT 2003-05-23 17:03:23 58.221.176.240 port=46637 1 37104 2003-05-24 08:31:55 58.221.176.240 port=46637 1 37104 2003-05-24 19:58:07 58.221.176.240 port=46637 1 37104 2003-05-25 04:22:55 58.221.176.240 port=46637 1 37104 2003-05-26 03:33:02 58.221.176.240 port=46637 1 37104 2003-05-27 13:16:46 58.221.176.240 port=46637 1 37104 2003-05-27 17:52:28 58.221.176.240 port=46637 1 37104 2003-05-28 12:03:13 58.221.176.240 port=46637 1 37104 2003-05-28 13:50:25 58.221.176.240 port=46637 1 37104 2003-05-29 11:53:31 58.221.176.240 port=46637 7 37104 2003-05-29 13:27:12 58.221.176.240 port=46637 1 37104 2003-05-29 17:32:02 58.221.176.240 port=46637 2 37104 2003-05-29 19:36:34 58.221.176.240 port=46637 1 37104 2003-05-29 22:11:30 58.221.176.240 port=46637 1 37104 2003-05-29 22:31:36 58.221.176.240 port=46637 1 37104 2003-05-30 03:24:48 58.221.176.240 port=46637 1 37104 2003-05-30 06:49:08 58.221.176.240 port=46637 1 37104 2003-05-30 17:30:17 58.221.176.240 port=46637 1 37104 2003-05-30 20:31:02 58.221.176.240 port=46637 1 37104 2003-06-01 14:07:15 58.221.176.240 port=46637 1 37104 2003-06-01 16:42:56 58.221.176.240 port=46637 1 37104 2003-06-01 19:45:33 58.221.176.240 port=46637 1 37104 2003-06-01 20:44:58 58.221.176.240 port=46637 1 37104 2003-06-02 01:40:13 58.221.176.240 port=46637 1 37104 2003-06-02 09:15:45 58.221.176.240 port=46637 1 37104 2003-06-02 11:03:54 58.221.176.240 port=46637 1 37104 2003-06-02 15:08:13 58.221.176.240 port=46637 1 37104 2003-06-02 16:21:34 58.221.176.240 port=46637 1 37104 2003-06-02 16:57:19 58.221.176.240 port=46637 1 37104 2003-06-02 19:48:18 58.221.176.240 port=46637 1 37104 2003-06-02 20:18:30 58.221.176.240 port=46637 1 37104 2003-06-02 23:09:51 58.221.176.240 port=46637 1 37104 2003-06-03 07:57:01 58.221.176.240 port=46637 3 37104 2003-06-03 11:17:08 58.221.176.240 port=46637 1 37104 2003-06-03 15:06:17 58.221.176.240 port=46637 1 37104 2003-06-03 15:36:21 58.221.176.240 port=46637 1 37104 2003-06-04 08:57:48 58.221.176.240 port=46637 19 37104 Frame 10 (66 bytes on wire, 66 bytes captured) Arrival Time: Jun 3, 2003 12:20:29.880524000 Time delta from previous packet: 1615.688596000 seconds Time relative to first packet: 1669.478624000 seconds Frame Number: 10 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82 Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82) Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07) Type: IP (0x0800) Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr: m.y.i.p (m.y.i.p) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0xf380 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 107 Protocol: TCP (0x06) Header checksum: 0x4f0b (correct) Source: 58.221.176.240 (58.221.176.240) Destination: m.y.i.p (m.y.i.p) Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637 (46637), Seq: 3506558330, Ack: 0, Len: 0 Source port: 37104 (37104) Destination port: 46637 (46637) Sequence number: 3506558330 Header length: 32 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 55808 Checksum: 0x9a42 (correct) Options: (12 bytes) Maximum segment size: 1460 bytes NOP Window scale: 2 (multiply by 4) NOP NOP SACK permitted 0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E. 0010 00 34 f3 80 00 00 6b 06 4f 0b 3a dd b0 f0 82 5b .4....k.O.:....[ 0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z...... 0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............ 0040 04 02 .. Frame 11 (66 bytes on wire, 66 bytes captured) Arrival Time: Jun 3, 2003 13:13:26.221161000 Time delta from previous packet: 3176.340637000 seconds Time relative to first packet: 4845.819261000 seconds Frame Number: 11 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82 Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82) Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07) Type: IP (0x0800) Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr: m.y.i.p (m.y.i.p) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0xe5a7 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 105 Protocol: TCP (0x06) Header checksum: 0x5ee4 (correct) Source: 58.221.176.240 (58.221.176.240) Destination: m.y.i.p (m.y.i.p) Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637 (46637), Seq: 3506558330, Ack: 0, Len: 0 Source port: 37104 (37104) Destination port: 46637 (46637) Sequence number: 3506558330 Header length: 32 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 55808 Checksum: 0x9a42 (correct) Options: (12 bytes) Maximum segment size: 1460 bytes NOP Window scale: 2 (multiply by 4) NOP NOP SACK permitted 0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E. 0010 00 34 e5 a7 00 00 69 06 5e e4 3a dd b0 f0 82 5b .4....i.^.:....[ 0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z...... 0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............ 0040 04 02 .. Frame 12 (66 bytes on wire, 66 bytes captured) Arrival Time: Jun 3, 2003 13:30:19.245957000 Time delta from previous packet: 1013.024796000 seconds Time relative to first packet: 5858.844057000 seconds Frame Number: 12 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82 Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82) Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07) Type: IP (0x0800) Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr: m.y.i.p (m.y.i.p) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0xf380 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 116 Protocol: TCP (0x06) Header checksum: 0x460b (correct) Source: 58.221.176.240 (58.221.176.240) Destination: m.y.i.p (m.y.i.p) Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637 (46637), Seq: 3506558330, Ack: 0, Len: 0 Source port: 37104 (37104) Destination port: 46637 (46637) Sequence number: 3506558330 Header length: 32 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 55808 Checksum: 0x9a42 (correct) Options: (12 bytes) Maximum segment size: 1460 bytes NOP Window scale: 2 (multiply by 4) NOP NOP SACK permitted 0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E. 0010 00 34 f3 80 00 00 74 06 46 0b 3a dd b0 f0 82 5b .4....t.F.:....[ 0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z...... 0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............ 0040 04 02 .. ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 19:56:47 PDT