Weird Scan

From: centipede (centipedat_private)
Date: Sun Dec 16 2001 - 11:01:03 PST

Next message: Minchu Mo: "How to trace system level call in AIX"

Previous message: frog frog: "CSS in DMOZGateway ( php-nuke )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Today I've received some weird traffic maybe you guys already met.
It was a regular 2-packet-long-SYN-scan to port 80.
My deception tool kit answered the call, with 3 SYN-ACK packets,
only to receive 3 RSTs.
At the first moment I thought it to be a '6sense' kind-of stealth scan,
but investigating the TTL and packet's IP id numbers, I decided both
the SYN and the RST packets came from the same host.
More surprisingly is the fact the dtk logged those attempts as coming
from 192.168.0.3.  (yap, 192.168.0.0 is the local network).
But I'm not sure it's relevant.

Anyone ?

Thanks,
centipede.

{ Attached is the tcpdump log file }
{ Forgive me for dual-posting, I wasn't sure which is more suitable }



20:26:01.046765 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: S 1459731372:1459731372(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 114, id 39188)
20:26:01.046964 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 3363)
20:26:03.856766 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: S 1459731372:1459731372(0) win 8760 <mss 1460,nop,nop,sackOK> (DF) (ttl 114, id 39453)
20:26:03.856831 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 3364)
20:26:04.546778 ppp0 > x.x.x.x.80 > 62.177.75.55.2095: S 3831740322:3831740322(0) ack 1459731373 win 30660 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 3365)
20:26:06.796775 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 39691)
20:26:09.546766 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 41243)
20:26:10.156776 ppp0 < 62.177.75.55.2095 > x.x.x.x.80: R 1459731373:1459731373(0) win 0 (ttl 114, id 41334)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Minchu Mo: "How to trace system level call in AIX"
Previous message: frog frog: "CSS in DMOZGateway ( php-nuke )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 16 2001 - 15:54:08 PST