|
Security Incidents
mailing list archives
Re: hungry guys form 203.232.4.4
From: Cortez <coretez () 8THPORT COM>
Date: Thu, 22 Mar 2001 12:34:40 -0500
Here are four packets from the 203.232.4.4 Site. I have a whole collection
of them. They are using a list that has been randomized as to distribute
the overall scan to appear slow from the destination side to avoid threshold
alarming. The Source Port and Destination are also designed to avoid
filtering rules that may be in place to avoid outgoing packets on particular
ports.
This type of randomization can be removed using batch analysis over a time
period removing the time variable and sorting by source to destination IP
addresses. Out of the four days of receiving this scan it has not
duplicated port/destination IP packets. This pattern demonstrates that the
scanning software likely takes a complete list and then shuffles the data
with either a random switch or a threshold limit on consecutive hits.
Though the IP addresses are shuffled, the ports visited all occur in a given
delta time period once the fist packet appears. This causes a randomness
that will leave small clusters.
There is no consistency in the time showing that the program is running
non-stop more than likely.
xxxxxxxxxxx (Towards) 06:46:01
SOURCE: 203.232.4.4
DEST: 209.117.173.93
45 00 00 28 9a 02 00 00 1b 06 b7 0e cb e8 04 04 XX XX XX XX
00 35 00 35 71 cf 34 f3 2b 24 9f 2f 50 03 04 04 eb 9d 00 00
EVENT1: [TCP-FLAGS] (flags=------SF,dp=53,sp=53)
TOS: 00 (consistent)
TOL: 0x0028 (40 bytes, Correct, IP+TCP Header)
ID: 9a 02
FLAGS: 00
FRAG OFF: 00
TTL: 1B (27, Same relative path in all packets)
PROTO: 06 (TCP)
HDR CHCKSUM:
SOURCE IP: 203.232.4.4
SOURCE PORT = DEST PORT
SEQ: Appear Random
ACK: Appear Random
HDR LENGTH: 5, Correct and consistent
FLAGS: Always SYN-FIN
WINDOWS SIZE: 0x0404 (1028) Consistent
CHECKSUM: Appears Correct
xxxxxxxxxxx (Towards) 06:46:14
SOURCE: 203.232.4.4
DEST: 209.117.173.93
45 00 00 28 9a 02 00 00 1b 06 b7 0e cb e8 04 04 XX XX XX XX
02 03 02 03 06 49 2d 80 5a a0 7a 14 50 03 04 04 50 9a 00 00
EVENT1: [TCP-FLAGS] (flags=------SF,dp=515,sp=515)
xxxxxxxxxxx (Towards) 06:46:25
SOURCE: 203.232.4.4
DEST: 209.117.173.93
45 00 00 28 9a 02 00 00 1b 06 b7 0e cb e8 04 04 XX XX XX XX
0c 38 0c 38 7e 4c c6 08 1f e0 54 ac 50 03 04 04 8b cc 00 00
EVENT1: [TCP-FLAGS] (flags=------SF,dp=3128,sp=3128)
xxxxxxxxxxx (Towards) 06:46:41
SOURCE: 203.232.4.4
DEST: 209.117.173.93
45 00 00 28 9a 02 00 00 1b 06 b7 0e cb e8 04 04 XX XX XX XX
00 6f 00 6f 1c 45 00 57 2d 9d 8f b5 50 03 04 04 82 51 00 00
EVENT1: [TCP-FLAGS] (flags=------SF,dp=111,sp=111)
**************** Search results for '203.232.4.4 '
inetnum 203.232.0.0 - 203.232.127.255
netname KORNET
descr Korea Telecom
descr 100 Sejong-no Chongno-gu Seoul, Korea
descr 110-777
country KR
admin-c GC1-AP, inverse
tech-c JK14-AP, inverse
remarks ISP in Korea
changed hostmast () rs krnic net 980707
source APNIC
person Gisu Choi, inverse
address Korea Telecom
address 100 Sejong-no Chongno-gu Seoul, Korea
phone +82 2 766 1407
fax-no +82 2 766 6008
country KR
e-mail mgr () ns kornet nm kr, inverse
nic-hdl GC1-AP, inverse
mnt-by MAINT-NULL, inverse
changed hostmast () rs krnic net 19980702
source APNIC
person Junho Kim, inverse
address Korea Telecom
address 100 Sejong-no Chongno-gu Seoul, Korea
phone +82 2 3673 5611
fax-no +82 2 766 6008
country KR
e-mail ip () ns kornet nm kr, inverse
nic-hdl JK14-AP, inverse
mnt-by MAINT-NULL, inverse
changed hostmast () rs krnic net 19980702
source APNIC
-- Tez
 By Date 
By Thread
Current thread:
|
Intro
