Security Incidents mailing list archives
Re: a very strange scan
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Fri, 11 Feb 2000 12:06:08 +1300
On Wed, 9 Feb 2000 16:26:11 -0000 Boris Badenov <sluskyb () FORCE STWING UPENN EDU> wrote:
I was scanned yesterday by 208.225.90.120 (which is somewhere in the depths of UUnet) on the following ports: 46424 17699 54510 53021 2168 38979 45576 16851 44087 15362 21752 20263 57074 28349 65160 26860 43032 4732 41543 11329 48140 All these ports are unassigned, and none of them are on any of the trojan lists I've found. Can anyone make sense of this?
What flags were set on these packets? Here is one possoble senario: I see packets coming in with FIN or sometimes RST from addresses owned by e-commerce sites. (Amazon is bad at the moment) what appears to be happening is this: The sites use some form of load balancing software so behind, say, www.amozon.com are 3 (at least ) real web servers that do the work. These machine often don't have PTR records in the dns. The problem is that the load balancing software isn't perfect and often gets confused when sessions have finished or been dropped. When this happens the real server that was handling the transaction times out and then sends out a FIN or an RST to the client. This will appear to a FW or NID as a new session and get logged as such. I run argus which records *all* tcp session and I have been able to match the session originated at our site and which appeared to terminate normally with the incoming FIN packet several seconds later. If you have a client doing lots of sessions to such a site you will see what appears to be a scan coming back. If the client is on an OS which allocates source port numbers serially the scan will appear to be a serial scan of the high numbered ports. If the OS allocates ports randomly then you would see something like you describe. Arin says this address is allocated to UUNet's web business unit. Russell.
Current thread:
- Re: UDP to 161, (continued)
- Re: UDP to 161 Pavel Kankovsky (Feb 15)
- Re: UDP to 161 Ryan Russell (Feb 15)
- Re: UDP to 161 CyberPsychotic (Feb 16)
- Re: UDP to 161 Russell Fulton (Feb 15)
- Re: Private networks and home.{net|com} Andy Smith (Feb 09)
- massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
- [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
- Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
- a very strange scan Boris Badenov (Feb 09)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
- Re: Strange traceroute Rob Quinn (Feb 08)
- vi as a suid Paulo Ribeiro (Feb 08)
- Re: Strange traceroute Hauke Johannknecht (Feb 08)
- Re: sendmail vunerability ? CyberPsychotic (Feb 07)
- Re: sendmail vunerability ? H D Moore (Feb 10)