[Snort-users] Very interesting packet

Lance Spitzner lance at ...185...
Fri Jul 28 16:45:18 EDT 2000


Found a system in Korea sequentially scanning on all of
my systems on port 138, UDP.  What is the purpose of this
packet? This was reported as IDS181, but I highly doubt
that is what the packet is for.  Any ideas?

1.  Lots of NOOPs, but is this exploit code for NT?

2.  Read the ASCII in the beginning of the packets.

     IF PROBE IS SUCCESSFUL WE WILL GET ICMP BACK

3. If not exploit code, are they trying to determine what 
   systems are up?  If so, this does NOT make since.  Window
	systems by default listen on port 138.  So there would
	be no ICMP error message back.  This scan would only work
	for Unix systems not listening on port 138

Okay guru's, what do you think this is?  

Thanks!

07/20-04:16:00.101120 158.44.116.211:1025 -> 172.16.1.103:138
UDP TTL:120 TOS:0x0 ID:29702 
Len: 520
81 00 00 44 20 45 46 45 4D 45 4A 46 45 45 46 43  ...D EFEMEJFEEFC
41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ACACACACACACACAC
41 43 41 43 41 00 20 43 4B 46 44 45 4E 45 43 46  ACACA. CKFDENECF
44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43  DEFFCFGEFFCCACAC
41 43 41 43 41 43 41 00 49 46 50 52 4F 42 45 49  ACACACA.IFPROBEI
53 53 55 43 43 45 53 53 46 55 4C 57 45 57 49 4C  SSUCCESSFULWEWIL
4C 47 45 54 49 43 4D 50 42 41 43 4B 0A 90 90 90  LGETICMPBACK....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html





More information about the Snort-users mailing list