Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re(2): Help with an odd log file...

From: Ken Eichman <keichman () cas org>
Date: Mon, 9 Jun 2003 12:11:11 -0400 (EDT)
I began noticing this "random" packet activity during the last week of May,
and sent a note to CERT on 5/29. What I'm seeing is a one-to-one relationship
between most source IP/port and destination IP/port packets. However from a few
source IP's there is a one-to-many source-to-destination relationship. What is
interesting is the exact same packets (sent from a one-to-many source) also
show up from a one-to-one source. I.e, 151.11.190.23 and 133.220.162.119 are
one-to-one sources, and 24.118.114.71 is a one-to-many source:

Date       Time     TCP Seq# Source Address  Port     Target Address  Port
05/29/2003 02:54:01 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 03:10:15 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 06:10:23 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 06:10:53 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 06:57:16 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 07:34:44 4E4CC713 24.118.114.71   25886 -> XXX.XX.1.251   24141
05/29/2003 07:46:45 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 09:44:14 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141
05/29/2003 13:14:58 4E4CC713 151.11.190.23   25886 -> XXX.XX.1.251   24141

Date       Time     TCP Seq# Source Address   Port     Target Address  Port
05/29/2003 01:51:38 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 04:45:23 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 05:00:56 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 08:03:52 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 09:26:24 4AE14A35 24.118.114.71    24190 -> XXX.XX.101.195 29888
05/29/2003 09:38:56 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 11:05:52 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 11:43:30 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888
05/29/2003 13:38:50 4AE14A35 133.220.162.119  24190 -> XXX.XX.101.195 29888

Date       Time     TCP Seq# Source Address Port    Target Address  Port
05/29/2003 05:57:29 D5A3071E 24.118.114.71  2538 -> XXX.XX.114.255  49961
05/29/2003 06:03:25 41956321 24.118.114.71  20718 -> XXX.XX.109.63  4187
05/29/2003 06:03:53 5CFA533B 24.118.114.71  29026 -> XXX.XX.194.108  40519
05/29/2003 06:08:40 5A726357 24.118.114.71  60991 -> XXX.XX.247.55  56598
05/29/2003 06:15:57 F1E1FEAB 24.118.114.71  9997 -> XXX.XX.240.152  47417
05/29/2003 06:28:38 8ABCF738 24.118.114.71  20822 -> XXX.XX.129.210  16730
05/29/2003 06:29:49 97FB428B 24.118.114.71  28706 -> XXX.XX.121.129  9987
05/29/2003 06:30:22 43BD0FEB 24.118.114.71  4133 -> XXX.XX.205.32  28789
05/29/2003 06:30:35 B869A537 24.118.114.71  45387 -> XXX.XX.115.132  31733
05/29/2003 06:44:15 300E57D 24.118.114.71  44483 -> XXX.XX.82.132  11984
05/29/2003 07:03:42 DFD2ABFB 24.118.114.71  48202 -> XXX.XX.234.114  5076
05/29/2003 07:07:02 7A8CE2CC 24.118.114.71  25213 -> XXX.XX.25.27  60786
05/29/2003 07:09:44 F5CBEF9 24.118.114.71  8627 -> XXX.XX.201.206  5423
05/29/2003 07:13:09 15D1640 24.118.114.71  24543 -> XXX.XX.247.36  6853
05/29/2003 07:20:16 C4CA567D 24.118.114.71  23306 -> XXX.XX.60.208  39526
05/29/2003 07:27:17 38827CA8 24.118.114.71  2181 -> XXX.XX.10.48  35124
05/29/2003 07:34:44 4E4CC713 24.118.114.71  25886 -> XXX.XX.1.251  24141
05/29/2003 07:40:29 DCFD34AD 24.118.114.71  18589 -> XXX.XX.140.100  17423
05/29/2003 07:42:09 EDDC48AB 24.118.114.71  23431 -> XXX.XX.51.2  1561
05/29/2003 07:43:07 190779F8 24.118.114.71  40084 -> XXX.XX.93.87  41864
05/29/2003 07:47:22 5B81F638 24.118.114.71  2612 -> XXX.XX.83.253  44231
05/29/2003 07:50:45 356511C8 24.118.114.71  7851 -> XXX.XX.32.127  3696
05/29/2003 07:52:23 26DFBD4C 24.118.114.71  19327 -> XXX.XX.86.3  56459
05/29/2003 07:54:47 4A911F4E 24.118.114.71  43070 -> XXX.XX.194.161  12178
05/29/2003 08:00:21 65A86341 24.118.114.71  32001 -> XXX.XX.180.49  25795
05/29/2003 08:00:38 DE844A88 24.118.114.71  26637 -> XXX.XX.134.160  42131
05/29/2003 08:05:06 88D4A8D6 24.118.114.71  12839 -> XXX.XX.251.235  62720
05/29/2003 08:06:06 E126DEE7 24.118.114.71  48685 -> XXX.XX.116.222  22370
05/29/2003 08:27:05 3743AF56 24.118.114.71  53435 -> XXX.XX.2.35  60068
05/29/2003 08:33:25 105F811C 24.118.114.71  64651 -> XXX.XX.221.117  35672
05/29/2003 08:42:16 96DC2BDD 24.118.114.71  14954 -> XXX.XX.83.32  4960
05/29/2003 08:45:04 456DD9B 24.118.114.71  54565 -> XXX.XX.104.62  13647
05/29/2003 08:46:34 116F092B 24.118.114.71  21331 -> XXX.XX.90.82  58567
05/29/2003 08:48:34 F1B17406 24.118.114.71  54592 -> XXX.XX.146.197  59874
05/29/2003 08:48:55 33B6C200 24.118.114.71  50594 -> XXX.XX.47.13  41173
05/29/2003 08:50:46 663F481C 24.118.114.71  45481 -> XXX.XX.119.84  62644
05/29/2003 08:55:06 79557574 24.118.114.71  56763 -> XXX.XX.3.137  46403
05/29/2003 08:58:14 2A2E0F 24.118.114.71  1487 -> XXX.XX.212.19  60113
05/29/2003 09:10:01 CA20FA3 24.118.114.71  56489 -> XXX.XX.95.205  34095
05/29/2003 09:10:34 CEC1EE6C 24.118.114.71  33815 -> XXX.XX.64.38  38416
05/29/2003 09:11:45 C866877F 24.118.114.71  19616 -> XXX.XX.185.95  46190
05/29/2003 09:17:00 1DD996BD 24.118.114.71  17281 -> XXX.XX.169.40  9518
05/29/2003 09:21:37 58F4C371 24.118.114.71  17322 -> XXX.XX.52.221  35834
05/29/2003 09:22:52 5843AA36 24.118.114.71  34719 -> XXX.XX.4.92  18034
05/29/2003 09:26:24 4AE14A35 24.118.114.71  24190 -> XXX.XX.101.195  29888
05/29/2003 09:32:53 B24A4779 24.118.114.71  54980 -> XXX.XX.224.35  49977

Over the weekend of 5/31-6/1 I was seeing these packets from 660 unique
source addresses. This has slowly grown to 2200 source addresses this
past weekend (6/7-6/8).

All I'm capturing here are empty SYN packets -- sometimes, but rarely
followed by a RST:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/07-20:32:09.679693 202.232.48.93:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52
******S* Seq: 0x202F0239  Ack: 0x0  Win: 0xDA00  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/08-09:59:20.304527 24.118.114.71:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52
******S* Seq: 0x202F0239  Ack: 0x0  Win: 0xDA00  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/08-09:59:25.782971 24.118.114.71:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:59520 IpLen:20 DgmLen:40
*****R** Seq: 0x202F023A  Ack: 0x202F023A  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

On the surface it looks like a slowly spreading worm, but I haven't seen
anything from it besides a lot of TCP background noise..

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichman () cas org


From incidents-return-5774-keichman=cas.org () securityfocus com Mon Jun  9 11:37:32 2003
Subject: RE: Help with an odd log file...
Date: Fri, 6 Jun 2003 10:55:25 -0500
From: "Golden Faron P Contr HQ SSG/SWSN" <Faron.Golden () Gunter AF mil>
To: <sec_slave () hushmail com>, <intrusions () incidents org>,
   <incidents () securityfocus com>

Based on observations here, the strange packets are showing up
everywhere.  Try running a capture that triggers on Window Size of 55808
and see what you find...Have been seeing a steadily increasing flow of
packets like the ones described below..Some interesting things are that
once a random source sends a SYN packet from a random port to a random
destination on a random host, the packet is repeated at irregular
intervals.  Same source port, same source host, same destination host,
same destination port, same Sequence number, same window size...

Still no explanation


-----Original Message-----
From: sec_slave () hushmail com [mailto:sec_slave () hushmail com]
Sent: Tuesday, June 03, 2003 4:04 PM
To: intrusions () incidents org; incidents () securityfocus com
Subject: Help with an odd log file...



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello.

I am looking for some assistance in trying to identify the nature of
a suspected scan/attack against my corporate network.

The scan/attack includes spoofed source addresses that cover a wide
range
of IP networks.  There is also a relationship between source and
destination addresses and ports for each entry.  Each combination of
address and port information appears between 3 and 8 times, all trickled
in over a 3 day period.  Normally, something like this might be
identified
as a TCP SYN SCAN, but the traffic is coming in too slowly and the
destination
ports are all upper level ports (as you can see).

The pattern is one with which I am not familiar and would appreciate
your assistance in identifying.

Thnx,


Sorted by source IP:

Date/Time        Source IP/Port         Dest IP/Port
May 25 13:53:48  2.66.161.64:55518      XX6.X37.153.7:61323

< snip. >

Captured Frame Sample:

< snip.>

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA
oIDwlD0AxJojtPAhIdlunJmyAG1R
=US/J
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: