Security Incidents mailing list archives
Re: odd scans?
From: "Kyle R. Hofmann" <krh () lemniscate net>
Date: Fri, 24 May 2002 11:21:24 -0700
On Fri, 24 May 2002 10:16:20 -0700, "Scott, Michael R." wrote:
Anyone recognize this or have a clue what they're looking for (covert channel, root shell) or what tool is responsible? The source and dest ports are almost as randomly distributed across the high range as the location of the source IPs are across the globe, but notice that the same two ack numbers repeat across all the source IPs.
I've seen similar behavior from a misbehaving Linux 2.2.19 system. I don't know what triggered it, but it began trying to reset connections that weren't there: 05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0 05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0 05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0 05:53:51.592544 xxx.62176 > yyy.zz: R 1060356:1060356(0) win 0 06:05:58.786207 xxx.62177 > yyy.zz: R 1060312:1060312(0) win 0 06:06:01.116313 xxx.62177 > yyy.zz: R 1060356:1060356(0) win 0 06:18:21.837972 xxx.62178 > yyy.zz: R 1060312:1060312(0) win 0 06:18:21.854618 xxx.62178 > yyy.zz: R 1060356:1060356(0) win 0 06:26:22.898850 xxx.62179 > yyy.zz: R 1060312:1060312(0) win 0 06:30:26.618631 xxx.62180 > yyy.zz: R 1060356:1060356(0) win 0 It did this for weeks. You can see the outline of a pattern in the excerpt I've included: Send a RST for each of the two sequence numbers, wait ~12 seconds, increment port number, and try again. It didn't keep very strictly to the pattern, though, but that seems to match your experiences. The solution for me was to flush and reload the Linux machine's ipchains rules. I don't have a good guess as to what was going on, but I suspect that it had to do with firewalling and NAT (The Linux machine in question has some firewalling rules and does NAT for two machines). It's possible that you're seeing the same problem, but from someone with a different setup or a different (but still buggy) kernel. -- Kyle R. Hofmann <krh () lemniscate net> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- odd scans? Scott, Michael R. (May 24)
- Re: odd scans? Kyle R. Hofmann (May 24)
- Re: odd scans? Brett Glass (May 29)
- Re: odd scans? Matt Zimmerman (May 24)
- Re: odd scans? Bamm (Robert) Visscher (May 24)
- <Possible follow-ups>
- RE: odd scans? Smith, Donald (May 26)
- RE: odd scans? Bamm (Robert) Visscher (May 28)
- Re: odd scans? Kyle R. Hofmann (May 24)