Security Incidents mailing list archives

Re: Strange broadcasts to printer port

From: "Crist Clark" <crist.clark () globalstar com>
Date: Fri, 29 Jun 2001 10:21:59 -0700

Mike Patchen wrote:


I have been seeing a lot of these too (5-7 per day).  Snort identifies them as "BACKDOOR Q access".  The only 
difference that I see is that the TOS is 0x00 in my logs.  I usually see these as a scan across my IP range, instead 
of being targeted at a certain machine.


I've seen 182 of these. The first one came in on April 16th of this year.
They have hit 164 different hosts, no host has been hit more than twice, 
which is reasonable for totally random scans.

Patrick Oonk <patrick () pine nl> 06/28/01 09:27AM >>>

Hi,

I have been seeing syn packets from src 255.255.255.255:31337 to random
ip-numbers port 515 in our nets for months.  Does anyone kow what could cause this?


I don't know, but I find these things humorous more than anything
else. I mean, could it be _any_ more obvious these are crafted packets?
We have the 'leet source port. We have a sequence numebr of 100 everytime.
We have the same IP ID everytime, 62128. And then of course, the source
address is The Broadcast Address. So, not only are they blatently obvious
and should set off every NIDS ever made, but they are harmless. There
is no way the recipient could ever find the sender (even if it wanted to
reply to a SYN from 255.255.255.255) if it's not local.

My _guess_ has always been that these are the result of some broken
worm or other tool. However, I do not see how such a worm could ever
propigate. I never see attacks with this signature except including
a valid source address.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Strange broadcasts to printer port Patrick Oonk (Jun 28)
- <Possible follow-ups>
- Re: Strange broadcasts to printer port Mike Patchen (Jun 28)
  - Re: Strange broadcasts to printer port Dan Riley (Jun 29)
  - Re: Strange broadcasts to printer port Crist Clark (Jun 30)