Security Incidents mailing list archives

sunrpc portscan from 204.229.203.2 kcom.edu

From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Wed, 20 Sep 2000 21:18:46 -0400
Hi all,

I just took a look at my logs and found out that a somewhat
sophisticated script kiddy is scanning my subnet (and certainly
others).

He is scanning with syn/fin scans very slowly, he took 2 days to scan
11 machines on my subnet.

Arin says that this is comming from Kirksville College of Osteopathic
Medicine, so my guess is  that they have a cracked box.

Emails send to abuse () westnet net or postmaster () westnet net bounce. I
just sent an email to Scott.Gardner () ASU EDU (authority in ARIN's
whois), we'll see if he replies.

Here is what snort had to say:
Sep 18 06:35:26 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.102:111
Sep 18 13:05:51 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.120:111
Sep 18 13:27:33 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.121:111
Sep 19 18:00:44 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.200:111
Sep 19 18:22:25 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.201:111
Sep 19 18:44:05 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.202:111
Sep 16 18:25:46 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.2:111
Sep 16 18:47:27 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.3:111
Sep 16 20:14:11 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.7:111
Sep 16 23:07:38 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.15:111
Sep 16 23:29:19 sylvester snort[3270]: SCAN-SYN FIN:
204.229.203.2:111 -> my.net.200.16:111

Log:
[**] SCAN-SYN FIN [**]
09/16-18:25:46.649233 204.229.203.2:111 -> my.net.200.2:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x2C139A3   Ack: 0x2BA432EE   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/16-18:47:27.573114 204.229.203.2:111 -> my.net.200.3:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x7520896C   Ack: 0x2B78C70B   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/16-20:14:11.282325 204.229.203.2:111 -> my.net.200.7:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x8128A85   Ack: 0x8D958B5   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/16-23:07:38.517543 204.229.203.2:111 -> my.net.200.15:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x153001A   Ack: 0x10C4E5D3   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/16-23:29:19.369551 204.229.203.2:111 -> my.net.200.16:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x2140E86E   Ack: 0x51BF294   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/18-06:35:26.047457 204.229.203.2:111 -> my.net.200.102:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x618F9A23   Ack: 0x6C3FB3B2   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/18-13:05:51.296628 204.229.203.2:111 -> my.net.200.120:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x6F9DE512   Ack: 0x3EF4325B   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/18-13:27:33.204007 204.229.203.2:111 -> my.net.200.121:111
TCP TTL:20 TOS:0x0 ID:39426
**SF**** Seq: 0x50329290   Ack: 0x3415C8BF   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/19-18:00:44.187205 204.229.203.2:111 -> my.net.200.200:111
TCP TTL:27 TOS:0x0 ID:39426
**SF**** Seq: 0x209FE250   Ack: 0x102D0F7A   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/19-18:22:25.062461 204.229.203.2:111 -> my.net.200.201:111
TCP TTL:27 TOS:0x0 ID:39426
**SF**** Seq: 0x52DD0567   Ack: 0xFE89529   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SCAN-SYN FIN [**]
09/19-18:44:05.986954 204.229.203.2:111 -> my.net.200.202:111
TCP TTL:27 TOS:0x0 ID:39426
**SF**** Seq: 0x3322F87F   Ack: 0x49833FD   Win: 0x404

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Let's try passive ip fingerprinting (yeah, I got nothing to do..):
Win: 1028
TTL: 27, 20: hum strange
DF: no
TOS: 0
And the winner looks like Windows!
Okay, this is really a script kiddy... 8-P

GFK's
--
http://logidac.com
Guillaume Filion (GFK's)
Logidac Technologies, Québec, Canada
Current thread:

sunrpc portscan from 204.229.203.2 kcom.edu Guillaume Filion (Sep 21)
- <Possible follow-ups>
- Re: sunrpc portscan from 204.229.203.2 kcom.edu H Carvey (Sep 22)