Nmap Development mailing list archives
Service Probe Help Meeded for mydoom probe
From: Jay Moran <jay () tp org>
Date: Thu, 29 Jan 2004 23:21:03 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I had created a service probe for the mydoom mass mailing worm's backdoor that is installed on infection on various ports (3127/tcp for example) and am getting inconsistant results. Sometimes (no pattern that I can tell) nmap gives this while debugging: NSOCK (0.0480s) Callback: READ ERROR [Connection reset by peer] for EID 26 [10.4.58.183:3127] instead of: NSOCK (0.0490s) Callback: READ SUCCESS for EID 26 [10.4.58.183:3127] (8 bytes): .[...... It is like nmap is getting the RST packet before the the actual PSH packet with the response data which is: \x04\x5b\0\0\0\0\0\0. The packets are coming in order according to tcpdump, so I don't understand why sometimes it seems to not see the response and only the RST packet. Any ideas? Think I'm just doing something wrong and I should go investigate more? I've attached the probe that I'm using, a debug'd output of nmap, and the corresponding tcpdump. Thanks, Jay ####################### mydoom backdoor PROBE ########################## Probe TCP mydoom q|\x0d\x0d| ports 3127-3198 match mydoom m|\x04\x5b\0\0\0\0\0\0| v/mydoom/v012604// [jay@erwin mydoom]$ nmap -A -sT -P0 -T4 -p3127 --version_trace -vv -d - -d -d 10.4.58.183 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-29 22:34 EST The max # of sockets we are using is: 0 The first host is 10, and the last one is 10 The first host is 4, and the last one is 4 The first host is 58, and the last one is 58 The first host is 183, and the last one is 183 doing 0.0.0.0 = 10.4.58.183 Host 10.4.58.183 appears to be up ... good. Starting pos_scan (Connect() Scan) Initiating Connect() Scan against 10.4.58.183 at 22:34 Sending initial query to port/prog 3127 Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout 800000 senddelay: 0us portnumber 3127 (try 0) selected for WRITE Timeout vals: srtt: -1 rttvar: -1 to: 800000 delta 14298 ==> srtt: 14298 rttvar: 14298 to: 300000 Adding open port 3127/tcp Finished round #1. Current stats: numqueries_ideal: 30; min_width: 1; max_width: 1020; packet_incr: 4; senddelay: 0us; fallback: 69% The Connect() Scan took 0 seconds to scan 1 ports. Fetchfile found ./nmap-service-probes Initiating service scan against 1 service on 1 host at 22:34 Starting probes against new service: 10.4.58.183:3127 (tcp) NSOCK (0.0200s) TCP connection requested to 10.4.58.183:3127 (IOD #1) EID 8 NSOCK (0.0200s) nsock_loop() started (no timeout). 1 events pending NSOCK (0.0340s) Callback: CONNECT SUCCESS for EID 8 [10.4.58.183:3127] NSOCK (0.0340s) Write request for 2 bytes to IOD #1 EID 19 [10.4.58.183:3127]: .. NSOCK (0.0340s) Read request from IOD #1 [10.4.58.183:3127] (timeout: 5000ms) EID 26 NSOCK (0.0340s) Callback: WRITE SUCCESS for EID 19 [10.4.58.183:3127] NSOCK (0.0480s) Callback: READ SUCCESS for EID 26 [10.4.58.183:3127] (8 bytes): .[...... Service scan match: 10.4.58.183:3127 is mydoom. Version: |mydoom|v012604|| The service scan took 0 seconds to scan 1 service on 1 host. Starting pos_scan (RPCGrind Scan) Fetchfile found /usr/local/share/nmap/nmap-rpc Interesting ports on 10.4.58.183: PORT STATE SERVICE VERSION 3127/tcp open mydoom mydoom v012604 Final times for host: srtt: 14298 rttvar: 14298 to: 300000 Nmap run completed -- 1 IP address (1 host up) scanned in 0.052 seconds [jay@erwin mydoom]$ nmap -A -sT -P0 -T4 -p3127 --version_trace -vv -d - -d -d 10.4.58.183 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-29 22:34 EST The max # of sockets we are using is: 0 The first host is 10, and the last one is 10 The first host is 4, and the last one is 4 The first host is 58, and the last one is 58 The first host is 183, and the last one is 183 doing 0.0.0.0 = 10.4.58.183 Host 10.4.58.183 appears to be up ... good. Starting pos_scan (Connect() Scan) Initiating Connect() Scan against 10.4.58.183 at 22:34 Sending initial query to port/prog 3127 Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout 800000 senddelay: 0us Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout 800000 senddelay: 0us portnumber 3127 (try 0) selected for WRITE Timeout vals: srtt: -1 rttvar: -1 to: 800000 delta 14245 ==> srtt: 14245 rttvar: 14245 to: 300000 Adding open port 3127/tcp Finished round #1. Current stats: numqueries_ideal: 30; min_width: 1; max_width: 1020; packet_incr: 4; senddelay: 0us; fallback: 69% The Connect() Scan took 0 seconds to scan 1 ports. Fetchfile found ./nmap-service-probes Initiating service scan against 1 service on 1 host at 22:34 Starting probes against new service: 10.4.58.183:3127 (tcp) NSOCK (0.0200s) TCP connection requested to 10.4.58.183:3127 (IOD #1) EID 8 NSOCK (0.0200s) nsock_loop() started (no timeout). 1 events pending NSOCK (0.0340s) Callback: CONNECT SUCCESS for EID 8 [10.4.58.183:3127] NSOCK (0.0340s) Write request for 2 bytes to IOD #1 EID 19 [10.4.58.183:3127]: .. NSOCK (0.0340s) Read request from IOD #1 [10.4.58.183:3127] (timeout: 5000ms) EID 26 NSOCK (0.0340s) Callback: WRITE SUCCESS for EID 19 [10.4.58.183:3127] NSOCK (0.0480s) Callback: READ ERROR [Connection reset by peer] for EID 26 [10.4.58.183:3127] The service scan took 0 seconds to scan 1 service on 1 host. Starting pos_scan (RPCGrind Scan) Fetchfile found /usr/local/share/nmap/nmap-rpc Fetchfile found /usr/local/share/nmap/nmap-services Interesting ports on 10.4.58.183: PORT STATE SERVICE VERSION 3127/tcp open unknown Final times for host: srtt: 14245 rttvar: 14245 to: 300000 Nmap run completed -- 1 IP address (1 host up) scanned in 0.058 seconds [jay@erwin mydoom]$ 22:34:23.358697 erwin.46664 > 10.4.58.183.3127: S [tcp sum ok] 1576839834:1576839834(0) win 5840 <mss 1460,sackOK,timestamp 443881373 0,nop,wscale 0> (DF) (ttl 64, id 48391, len 60) 0x0000 4500 003c bd07 4000 4006 4a67 0ab4 e3de E..<..@.@.Jg.... 0x0010 0a04 3ab7 b648 0c37 5dfc aa9a 0000 0000 ..:..H.7]....... 0x0020 a002 16d0 00c1 0000 0204 05b4 0402 080a ................ 0x0030 1a75 179d 0000 0000 0103 0300 .u.......... 22:34:23.372563 10.4.58.183.3127 > erwin.46664: S [tcp sum ok] 1183553860:1183553860(0) ack 1576839835 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47188, len 64) 0x0000 4500 0040 b854 4000 7b06 1416 0a04 3ab7 E..@.T@.{.....:. 0x0010 0ab4 e3de 0c37 b648 468b 9944 5dfc aa9b .....7.HF..D]... 0x0020 b012 ffff 57bc 0000 0204 05b4 0103 0300 ....W........... 0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................ 22:34:23.372598 erwin.46664 > 10.4.58.183.3127: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881374 0> (DF) (ttl 64, id 48392, len 52) 0x0000 4500 0034 bd08 4000 4006 4a6e 0ab4 e3de E..4..@.@.Jn.... 0x0010 0a04 3ab7 b648 0c37 5dfc aa9b 468b 9945 ..:..H.7]...F..E 0x0020 8010 16d0 4fa4 0000 0101 080a 1a75 179e ....O........u.. 0x0030 0000 0000 .... 22:34:23.372930 erwin.46664 > 10.4.58.183.3127: R [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881374 0> (DF) (ttl 64, id 48393, len 52) 0x0000 4500 0034 bd09 4000 4006 4a6d 0ab4 e3de E..4..@.@.Jm.... 0x0010 0a04 3ab7 b648 0c37 5dfc aa9b 468b 9945 ..:..H.7]...F..E 0x0020 8014 16d0 4fa0 0000 0101 080a 1a75 179e ....O........u.. 0x0030 0000 0000 .... 22:34:23.374352 erwin.46665 > 10.4.58.183.3127: S [tcp sum ok] 1577111135:1577111135(0) win 5840 <mss 1460,sackOK,timestamp 443881375 0,nop,wscale 0> (DF) (ttl 64, id 55744, len 60) 0x0000 4500 003c d9c0 4000 4006 2dae 0ab4 e3de E..<..@.@.-..... 0x0010 0a04 3ab7 b649 0c37 5e00 ce5f 0000 0000 ..:..I.7^.._.... 0x0020 a002 16d0 dcf4 0000 0204 05b4 0402 080a ................ 0x0030 1a75 179f 0000 0000 0103 0300 .u.......... 22:34:23.388088 10.4.58.183.3127 > erwin.46665: S [tcp sum ok] 1183614037:1183614037(0) ack 1577111136 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47189, len 64) 0x0000 4500 0040 b855 4000 7b06 1415 0a04 3ab7 E..@.U@.{.....:. 0x0010 0ab4 e3de 0c37 b649 468c 8455 5e00 ce60 .....7.IF..U^..` 0x0020 b012 ffff 48e0 0000 0204 05b4 0103 0300 ....H........... 0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................ 22:34:23.388118 erwin.46665 > 10.4.58.183.3127: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881376 0> (DF) (ttl 64, id 55745, len 52) 0x0000 4500 0034 d9c1 4000 4006 2db5 0ab4 e3de E..4..@.@.-..... 0x0010 0a04 3ab7 b649 0c37 5e00 ce60 468c 8456 ..:..I.7^..`F..V 0x0020 8010 16d0 40c6 0000 0101 080a 1a75 17a0 ....@........u.. 0x0030 0000 0000 .... 22:34:23.388499 erwin.46665 > 10.4.58.183.3127: P [tcp sum ok] 1:3(2) ack 1 win 5840 <nop,nop,timestamp 443881376 0> (DF) (ttl 64, id 55746, len 54) 0x0000 4500 0036 d9c2 4000 4006 2db2 0ab4 e3de E..6..@.@.-..... 0x0010 0a04 3ab7 b649 0c37 5e00 ce60 468c 8456 ..:..I.7^..`F..V 0x0020 8018 16d0 33af 0000 0101 080a 1a75 17a0 ....3........u.. 0x0030 0000 0000 0d0d ...... 22:34:23.402217 10.4.58.183.3127 > erwin.46665: P [tcp sum ok] 1:9(8) ack 3 win 65533 <nop,nop,timestamp 5306543 443881376> (DF) (ttl 123, id 47190, len 60) 0x0000 4500 003c b856 4000 7b06 1418 0a04 3ab7 E..<.V@.{.....:. 0x0010 0ab4 e3de 0c37 b649 468c 8456 5e00 ce62 .....7.IF..V^..b 0x0020 8018 fffd 5a2b 0000 0101 080a 0050 f8af ....Z+.......P.. 0x0030 1a75 17a0 045b 0000 0000 0000 .u...[...... 22:34:23.402246 erwin.46665 > 10.4.58.183.3127: . [tcp sum ok] 3:3(0) ack 9 win 5840 <nop,nop,timestamp 443881377 5306543> (DF) (ttl 64, id 55747, len 52) 0x0000 4500 0034 d9c3 4000 4006 2db3 0ab4 e3de E..4..@.@.-..... 0x0010 0a04 3ab7 b649 0c37 5e00 ce62 468c 845e ..:..I.7^..bF..^ 0x0020 8010 16d0 47bb 0000 0101 080a 1a75 17a1 ....G........u.. 0x0030 0050 f8af .P.. 22:34:23.402495 10.4.58.183.3127 > erwin.com.46665: R [tcp sum ok] 1183614046:1183614046(0) win 0 (DF) (ttl 123, id 47191, len 40) 0x0000 4500 0028 b857 4000 7b06 142b 0a04 3ab7 E..(.W@.{..+..:. 0x0010 0ab4 e3de 0c37 b649 468c 845e 5e00 ce62 .....7.IF..^^..b 0x0020 5004 0000 c2c4 0000 0000 0000 0000 P............. 22:34:23.415766 10.4.58.183.3127 > erwin.46665: R [tcp sum ok] 1183614046:1183614046(0) win 0 (ttl 123, id 47192, len 40) 0x0000 4500 0028 b858 0000 7b06 542a 0a04 3ab7 E..(.X..{.T*..:. 0x0010 0ab4 e3de 0c37 b649 468c 845e 468c 845e .....7.IF..^F..^ 0x0020 5004 0000 243d 0000 0000 0000 0000 P...$=........ 22:34:27.574157 erwin.46666 > 10.4.58.183.3127: S [tcp sum ok] 1575460118:1575460118(0) win 5840 <mss 1460,sackOK,timestamp 443881794 0,nop,wscale 0> (DF) (ttl 64, id 33876, len 60) 0x0000 4500 003c 8454 4000 4006 831a 0ab4 e3de E..<.T@.@....... 0x0010 0a04 3ab7 b64a 0c37 5de7 9d16 0000 0000 ..:..J.7]....... 0x0020 a002 16d0 0cb3 0000 0204 05b4 0402 080a ................ 0x0030 1a75 1942 0000 0000 0103 0300 .u.B........ 22:34:27.587984 10.4.58.183.3127 > erwin.46666: S [tcp sum ok] 1184708402:1184708402(0) ack 1575460119 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47215, len 64) 0x0000 4500 0040 b86f 4000 7b06 13fb 0a04 3ab7 E..@.o@.{.....:. 0x0010 0ab4 e3de 0c37 b64a 469d 3732 5de7 9d17 .....7.JF.72]... 0x0020 b012 ffff c753 0000 0204 05b4 0103 0300 .....S.......... 0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................ 22:34:27.588018 erwin.46666 > 10.4.58.183.3127: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881796 0> (DF) (ttl 64, id 33877, len 52) 0x0000 4500 0034 8455 4000 4006 8321 0ab4 e3de E..4.U@.@..!.... 0x0010 0a04 3ab7 b64a 0c37 5de7 9d17 469d 3733 ..:..J.7]...F.73 0x0020 8010 16d0 bd95 0000 0101 080a 1a75 1944 .............u.D 0x0030 0000 0000 .... 22:34:27.588342 erwin.46666 > 10.4.58.183.3127: R [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881796 0> (DF) (ttl 64, id 33878, len 52) 0x0000 4500 0034 8456 4000 4006 8320 0ab4 e3de E..4.V@.@....... 0x0010 0a04 3ab7 b64a 0c37 5de7 9d17 469d 3733 ..:..J.7]...F.73 0x0020 8014 16d0 bd91 0000 0101 080a 1a75 1944 .............u.D 0x0030 0000 0000 .... 22:34:27.589755 erwin.46667 > 10.4.58.183.3127: S [tcp sum ok] 1573311783:1573311783(0) win 5840 <mss 1460,sackOK,timestamp 443881796 0,nop,wscale 0> (DF) (ttl 64, id 52323, len 60) 0x0000 4500 003c cc63 4000 4006 3b0b 0ab4 e3de E..<.c@.@.;..... 0x0010 0a04 3ab7 b64b 0c37 5dc6 d527 0000 0000 ..:..K.7]..'.... 0x0020 a002 16d0 d4bf 0000 0204 05b4 0402 080a ................ 0x0030 1a75 1944 0000 0000 0103 0300 .u.D........ 22:34:27.603548 10.4.58.183.3127 > erwin.46667: S [tcp sum ok] 1184773866:1184773866(0) ack 1573311784 win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47217, len 64) 0x0000 4500 0040 b871 4000 7b06 13f9 0a04 3ab7 E..@.q@.{.....:. 0x0010 0ab4 e3de 0c37 b64b 469e 36ea 5dc6 d528 .....7.KF.6.]..( 0x0020 b012 ffff 8fa9 0000 0204 05b4 0103 0300 ................ 0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................ 22:34:27.603578 erwin.46667 > 10.4.58.183.3127: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881797 0> (DF) (ttl 64, id 52324, len 52) 0x0000 4500 0034 cc64 4000 4006 3b12 0ab4 e3de E..4.d@.@.;..... 0x0010 0a04 3ab7 b64b 0c37 5dc6 d528 469e 36eb ..:..K.7]..(F.6. 0x0020 8010 16d0 85ea 0000 0101 080a 1a75 1945 .............u.E 0x0030 0000 0000 .... 22:34:27.603934 erwin.46667 > 10.4.58.183.3127: P [tcp sum ok] 1:3(2) ack 1 win 5840 <nop,nop,timestamp 443881797 0> (DF) (ttl 64, id 52325, len 54) 0x0000 4500 0036 cc65 4000 4006 3b0f 0ab4 e3de E..6.e@.@.;..... 0x0010 0a04 3ab7 b64b 0c37 5dc6 d528 469e 36eb ..:..K.7]..(F.6. 0x0020 8018 16d0 78d3 0000 0101 080a 1a75 1945 ....x........u.E 0x0030 0000 0000 0d0d ...... 22:34:27.617637 10.4.58.183.3127 > erwin.46667: P [tcp sum ok] 1:9(8) ack 3 win 65533 <nop,nop,timestamp 5306585 443881797> (DF) (ttl 123, id 47218, len 60) 0x0000 4500 003c b872 4000 7b06 13fc 0a04 3ab7 E..<.r@.{.....:. 0x0010 0ab4 e3de 0c37 b64b 469e 36eb 5dc6 d52a .....7.KF.6.]..* 0x0020 8018 fffd 9f25 0000 0101 080a 0050 f8d9 .....%.......P.. 0x0030 1a75 1945 045b 0000 0000 0000 .u.E.[...... 22:34:27.617667 erwin.46667 > 10.4.58.183.3127: . [tcp sum ok] 3:3(0) ack 9 win 5840 <nop,nop,timestamp 443881799 5306585> (DF) (ttl 64, id 52326, len 52) 0x0000 4500 0034 cc66 4000 4006 3b10 0ab4 e3de E..4.f@.@.;..... 0x0010 0a04 3ab7 b64b 0c37 5dc6 d52a 469e 36f3 ..:..K.7]..*F.6. 0x0020 8010 16d0 8cb4 0000 0101 080a 1a75 1947 .............u.G 0x0030 0050 f8d9 .P.. 22:34:27.617833 10.4.58.183.3127 > erwin.46667: R [tcp sum ok] 1184773875:1184773875(0) win 0 (DF) (ttl 123, id 47219, len 40) 0x0000 4500 0028 b873 4000 7b06 140f 0a04 3ab7 E..(.s@.{.....:. 0x0010 0ab4 e3de 0c37 b64b 469e 36f3 5dc6 d52a .....7.KF.6.]..* 0x0020 5004 0000 098e 0000 0000 0000 0000 P............. 22:34:27.631227 10.4.58.183.3127 > erwin.46667: R [tcp sum ok] 1184773875:1184773875(0) win 0 (ttl 123, id 47220, len 40) 0x0000 4500 0028 b874 0000 7b06 540e 0a04 3ab7 E..(.t..{.T...:. 0x0010 0ab4 e3de 0c37 b64b 469e 36f3 469e 36f3 .....7.KF.6.F.6. 0x0020 5004 0000 beed 0000 0000 0000 0000 P............. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAGdu0zbg5T540J6ARAuawAJsG7DkuOvqdpWHOWmeGi1DkFWTwbgCfTfw1 0PxyPjNdIiNG6cmnklJiTy4= =ika/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Service Probe Help Meeded for mydoom probe Jay Moran (Jan 29)