Security Incidents mailing list archives
Re: Strange broadcasts to printer port
From: "Crist Clark" <crist.clark () globalstar com>
Date: Fri, 29 Jun 2001 10:21:59 -0700
Mike Patchen wrote:
I have been seeing a lot of these too (5-7 per day). Snort identifies them as "BACKDOOR Q access". The only difference that I see is that the TOS is 0x00 in my logs. I usually see these as a scan across my IP range, instead of being targeted at a certain machine.
I've seen 182 of these. The first one came in on April 16th of this year. They have hit 164 different hosts, no host has been hit more than twice, which is reasonable for totally random scans.
Patrick Oonk <patrick () pine nl> 06/28/01 09:27AM >>>Hi, I have been seeing syn packets from src 255.255.255.255:31337 to random ip-numbers port 515 in our nets for months. Does anyone kow what could cause this?
I don't know, but I find these things humorous more than anything else. I mean, could it be _any_ more obvious these are crafted packets? We have the 'leet source port. We have a sequence numebr of 100 everytime. We have the same IP ID everytime, 62128. And then of course, the source address is The Broadcast Address. So, not only are they blatently obvious and should set off every NIDS ever made, but they are harmless. There is no way the recipient could ever find the sender (even if it wanted to reply to a SYN from 255.255.255.255) if it's not local. My _guess_ has always been that these are the result of some broken worm or other tool. However, I do not see how such a worm could ever propigate. I never see attacks with this signature except including a valid source address. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange broadcasts to printer port Patrick Oonk (Jun 28)
- <Possible follow-ups>
- Re: Strange broadcasts to printer port Mike Patchen (Jun 28)
- Re: Strange broadcasts to printer port Dan Riley (Jun 29)
- Re: Strange broadcasts to printer port Crist Clark (Jun 30)