Security Incidents mailing list archives

Re: Strange broadcasts to printer port

From: "Mike Patchen" <MPatchen () chaska net>
Date: Thu, 28 Jun 2001 12:55:15 -0500

I have been seeing a lot of these too (5-7 per day).  Snort identifies them as "BACKDOOR Q access".  The only 
difference that I see is that the TOS is 0x00 in my logs.  I usually see these as a scan across my IP range, instead of 
being targeted at a certain machine.

Mike Patchen
IT Technician
City of Chaska

Patrick Oonk <patrick () pine nl> 06/28/01 09:27AM >>>

Hi,

I have been seeing syn packets from src 255.255.255.255:31337 to random
ip-numbers port 515 in our nets for months.  Does anyone kow what could cause this?

The packets are coming from outside our network.

tcpdump:

15:55:10.669625 255.255.255.255.31337 > 213.156.28.202.printer: S 100:100(0) win 512 [tos 0x20] [ttl 1]
                          4520 0028 f2b0 0000 0106 d499 ffff ffff
                          d59c 1cca 7a69 0203 0000 0064 0000 0000
                          5002 0200 3eac 0000 0000 0000 0000

Snort: 

06/28-16:18:51.995065 255.255.255.255:31337 -> 213.156.9.61:515
TCP TTL:1 TOS:0x20 ID:62128 IpLen:20 DgmLen:40
******S* Seq: 0x64  Ack: 0x0  Win: 0x200  TcpLen: 20


        .
 .p.
        .

-- 
 Patrick Oonk - PO1-6BONE - E: patrick () pine nl - www.pine.nl/~patrick 
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk () my security nl 
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl 
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: The UPS is on strike.


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com 




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Strange broadcasts to printer port Patrick Oonk (Jun 28)
- <Possible follow-ups>
- Re: Strange broadcasts to printer port Mike Patchen (Jun 28)
  - Re: Strange broadcasts to printer port Dan Riley (Jun 29)
  - Re: Strange broadcasts to printer port Crist Clark (Jun 30)