[Snort-users] FW: SNORT: snort.alert.2000.11.24.03.00

Guy Bruneau bruneau at ...126...
Fri Nov 24 20:34:01 EST 2000


Jan Muenther wrote:

> Hello there,
>
> > Anyone have ANY idea about what these guys were looking for?  109 appears to
> > be POP2, but are there really any hosts out there still running it?  And why
> > the need for both the source and the destination port 109?  Also, notice how
> > the Seq and Ack numbers are paired...
>
> Although Lance Spitzner is the No. 1 "Guess What Tool" guy, I'd
> guess it's synscan by psychoid:
>
> http://www.psychoid.lam3rz.de/synscan.html
>
> A guy called Joe Stewart has found out the "mystery tool No.11"
> is probably this little thing-o.
> Some remarks are:
>
> source port == dest port
> ID appears to be always 39426
> always SYN-FIN
> Win size always 404 hex ( I really wonder whether that's supposed
> to be a joke...)
>
> I've seen a couple of those from 21 to 21 and found out the boxes
> the scans came from were cracked using the (guess what) oh so
> 31337 wuftpd exploit.
>
> I haven't verified the pattern yet, since synscan appears to only
> compile under Linux so far, which I don't really fancy ;o))
> Someone with a bit more time and quicker C skills could just port
> it for kicks.
>
> Cheers, Jan
> --
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
-------------- next part --------------
This tool is pretty interesting. Synscan first goes out and verify first the port is open with a SF packet. If the port is open and it 
receives a SYN/ACK, it will send a RST packet and drop the connection. It attempts to reconnect again to the port as if it was a legitimate
connection. On the initial packet (SF), the ID is set at 39426, the WIN size is set at 1028, the source and destination ports are the
same and the TTL is set at 42.

This tool is the tool we have all seen in the past few months scanning networks.

Guy
------------
Guy Bruneau

Here are the results of my test:

19:47:01.675588 192.168.30.12.21 > 192.168.30.1.21: SF 276788411:276788411(0) win 1028 (ttl 42, id 39426)
	4500 0028 9a02 0000 2a06 3970 c0a8 1e0c      E..(....*.9p....
	c0a8 1e01 0015 0015 107f 74bb 73fe 6170      ..........t.s.ap
	5003 0404 93ac 0000 0000 0000 0000           P.............
19:47:01.676135 192.168.30.1.21 > 192.168.30.12.21: S 118347159:118347159(0) ack 276788412 win 16080 <mss 536> (DF) (ttl 64, id 46868)
	4500 002c b714 4000 4006 c659 c0a8 1e01      E..,.. at ...843...@..Y....
	c0a8 1e0c 0015 0015 070d d597 107f 74bc      ..............t.
	6012 3ed0 3d7a 0000 0204 0218                `.>.=z......
19:47:01.676484 192.168.30.12.21 > 192.168.30.1.21: R 276788412:276788412(0) win 0 (ttl 255, id 541)
	4500 0028 021d 0000 ff06 fc54 c0a8 1e0c      E..(.......T....
	c0a8 1e01 0015 0015 107f 74bc 0000 0000      ..........t.....
	5004 0000 6d1d 0000 0000 0000 0000           P...m.........
19:47:01.713230 192.168.30.12.1025 > 192.168.30.1.21: S 103861736:103861736(0) win 16060 <mss 1460,sackOK,timestamp 47363 0,nop,wscale 0> (DF) (ttl 64, id 544)
	4500 003c 0220 4000 4006 7b3e c0a8 1e0c      E..<. @. at ...843...{>....
	c0a8 1e01 0401 0015 0630 cde8 0000 0000      .........0......
	a002 3ebc baba 0000 0204 05b4 0402 080a      ..>.............
	0000 b903 0000 0000 0103 0300                ............
19:47:01.713355 192.168.30.1.21 > 192.168.30.12.1025: S 117712052:117712052(0) ack 103861737 win 16060 <mss 1460,sackOK,timestamp 488014698 47363,nop,wscale 0> (DF) (ttl 64, id 46871)
	4500 003c b717 4000 4006 c646 c0a8 1e01      E..<.. at ...843...@..F....
	c0a8 1e0c 0015 0401 0704 24b4 0630 cde9      ..........$..0..
	a012 3ebc ee70 0000 0204 05b4 0402 080a      ..>..p..........
	1d16 836a 0000 b903 0103 0300                ...j........
19:47:01.713734 192.168.30.12.1025 > 192.168.30.1.21: . ack 1 win 16060 <nop,nop,timestamp 47363 488014698> (DF) (ttl 64, id 545)
	4500 0034 0221 4000 4006 7b45 c0a8 1e0c      E..4.!@. at ...843...{E....
	c0a8 1e01 0401 0015 0630 cde9 0704 24b5      .........0....$.
	8010 3ebc 1d36 0000 0101 080a 0000 b903      ..>..6..........
	1d16 836a                                    ...j
19:47:01.822541 192.168.30.1.3211 > 192.168.30.12.113: S 118162572:118162572(0) win 16060 <mss 1460,sackOK,timestamp 488014709 0,nop,wscale 0> (DF) (ttl 64, id 46876)
	4500 003c b71c 4000 4006 c641 c0a8 1e01      E..<.. at ...843...@..A....
	c0a8 1e0c 0c8b 0071 070b 048c 0000 0000      .......q........
	a002 3ebc 92ce 0000 0204 05b4 0402 080a      ..>.............
	1d16 8375 0000 0000 0103 0300                ...u........
19:47:01.822933 192.168.30.12.113 > 192.168.30.1.3211: S 95384845:95384845(0) ack 118162573 win 16060 <mss 1460,sackOK,timestamp 47374 488014709,nop,wscale 0> (DF) (ttl 64, id 546)
	4500 003c 0222 4000 4006 7b3c c0a8 1e0c      E..<."@. at ...843...{<....
	c0a8 1e01 0071 0c8b 05af 750d 070b 048d      .....q....u.....
	a012 3ebc 5ef2 0000 0204 05b4 0402 080a      ..>.^...........
	0000 b90e 1d16 8375 0103 0300                .......u....
19:47:01.823032 192.168.30.1.3211 > 192.168.30.12.113: . ack 1 win 16060 <nop,nop,timestamp 488014709 47374> (DF) (ttl 64, id 46877)
	4500 0034 b71d 4000 4006 c648 c0a8 1e01      E..4.. at ...843...@..H....
	c0a8 1e0c 0c8b 0071 070b 048d 05af 750e      .......q......u.
	8010 3ebc 8db7 0000 0101 080a 1d16 8375      ..>............u
	0000 b90e                                    ....
19:47:01.823373 192.168.30.1.3211 > 192.168.30.12.113: P 1:10(9) ack 1 win 16060 <nop,nop,timestamp 488014709 47374> (DF) (ttl 64, id 46878)
	4500 003d b71e 4000 4006 c63e c0a8 1e01      E..=.. at ...843...@..>....
	c0a8 1e0c 0c8b 0071 070b 048d 05af 750e      .......q......u.
	8018 3ebc c301 0000 0101 080a 1d16 8375      ..>............u
	0000 b90e 3130 3235 2c32 310d 0a             ....1025,21..
19:47:01.823730 192.168.30.12.113 > 192.168.30.1.3211: . ack 10 win 16060 <nop,nop,timestamp 47374 488014709> (DF) (ttl 64, id 547)
	4500 0034 0223 4000 4006 7b43 c0a8 1e0c      E..4.#@. at ...843...{C....
	c0a8 1e01 0071 0c8b 05af 750e 070b 0496      .....q....u.....
	8010 3ebc 8dae 0000 0101 080a 0000 b90e      ..>.............
	1d16 8375                                    ...u
19:47:02.717524 192.168.30.12.113 > 192.168.30.1.3211: P 1:34(33) ack 10 win 16060 <nop,nop,timestamp 47464 488014709> (DF) (ttl 64, id 552)
	4500 0055 0228 4000 4006 7b1d c0a8 1e0c      E..U.(@. at ...843...{.....
	c0a8 1e01 0071 0c8b 05af 750e 070b 0496      .....q....u.....
	8018 3ebc 8b55 0000 0101 080a 0000 b968      ..>..U.........h
	1d16 8375 3130 3235 202c 2032 3120 3a20      ...u1025 , 21 : 
	5553 4552 4944 203a 2055 4e49 5820 3a72      USERID : UNIX :r
	6f6f 740d 0a                                 oot..
19:47:02.717633 192.168.30.1.3211 > 192.168.30.12.113: . ack 34 win 16060 <nop,nop,timestamp 488014798 47464> (DF) (ttl 64, id 46883)
	4500 0034 b723 4000 4006 c642 c0a8 1e01      E..4.#@. at ...844...
	c0a8 1e0c 0c8b 0071 070b 0496 05af 752f      .......q......u/
	8010 3ebc 8cda 0000 0101 080a 1d16 83ce      ..>.............
	0000 b968                                    ...h
19:47:02.717975 192.168.30.12.113 > 192.168.30.1.3211: F 34:34(0) ack 10 win 16060 <nop,nop,timestamp 47464 488014709> (DF) (ttl 64, id 553)
	4500 0034 0229 4000 4006 7b3d c0a8 1e0c      E..4.)@. at ...843...{=....
	c0a8 1e01 0071 0c8b 05af 752f 070b 0496      .....q....u/....
	8011 3ebc 8d32 0000 0101 080a 0000 b968      ..>..2.........h
	1d16 8375                                    ...u
19:47:02.718043 192.168.30.1.3211 > 192.168.30.12.113: . ack 35 win 16060 <nop,nop,timestamp 488014798 47464> (DF) (ttl 64, id 46884)
	4500 0034 b724 4000 4006 c641 c0a8 1e01      E..4.$@. at ...845...
	c0a8 1e0c 0c8b 0071 070b 0496 05af 7530      .......q......u0
	8010 3ebc 8cd9 0000 0101 080a 1d16 83ce      ..>.............
	0000 b968                                    ...h
19:47:02.718732 192.168.30.1.3211 > 192.168.30.12.113: F 10:10(0) ack 35 win 16060 <nop,nop,timestamp 488014799 47464> (DF) (ttl 64, id 46885)
	4500 0034 b725 4000 4006 c640 c0a8 1e01      E..4.%@. at ...846...@....
	c0a8 1e0c 0c8b 0071 070b 0496 05af 7530      .......q......u0
	8011 3ebc 8cd7 0000 0101 080a 1d16 83cf      ..>.............
	0000 b968                                    ...h
19:47:02.719066 192.168.30.12.113 > 192.168.30.1.3211: . ack 11 win 16060 <nop,nop,timestamp 47464 488014799> (DF) (ttl 64, id 554)
	4500 0034 022a 4000 4006 7b3c c0a8 1e0c      E..4.*@. at ...843...{<....
	c0a8 1e01 0071 0c8b 05af 7530 070b 0497      .....q....u0....
	8010 3ebc 8cd7 0000 0101 080a 0000 b968      ..>............h
	1d16 83cf                                    ....
19:47:07.729128 192.168.30.1.21 > 192.168.30.12.1025: F 1:1(0) ack 1 win 16060 <nop,nop,timestamp 488015300 47363> (DF) (ttl 64, id 46886)
	4500 0034 b726 4000 4006 c63f c0a8 1e01      E..4.&@. at ...846...?....
	c0a8 1e0c 0015 0401 0704 24b5 0630 cde9      ..........$..0..
	8011 3ebc 1adb 0000 0101 080a 1d16 85c4      ..>.............
	0000 b903                                    ....
19:47:07.729497 192.168.30.12.1025 > 192.168.30.1.21: . ack 2 win 16060 <nop,nop,timestamp 47965 488015300> (DF) (ttl 64, id 556)
	4500 0034 022c 4000 4006 7b3a c0a8 1e0c      E..4., at .@...843...{:....
	c0a8 1e01 0401 0015 0630 cde9 0704 24b6      .........0....$.
	8010 3ebc 1881 0000 0101 080a 0000 bb5d      ..>............]
	1d16 85c4                                    ....
19:47:07.747158 192.168.30.12.1025 > 192.168.30.1.21: F 1:1(0) ack 2 win 16060 <nop,nop,timestamp 47966 488015300> (DF) (ttl 64, id 558)
	4500 0034 022e 4000 4006 7b38 c0a8 1e0c      E..4.. at ...843...@.{8....
	c0a8 1e01 0401 0015 0630 cde9 0704 24b6      .........0....$.
	8011 3ebc 187f 0000 0101 080a 0000 bb5e      ..>............^
	1d16 85c4                                    ....
19:47:07.747274 192.168.30.1.21 > 192.168.30.12.1025: . ack 2 win 16060 <nop,nop,timestamp 488015301 47966> (DF) (ttl 64, id 46888)
	4500 0034 b728 4000 4006 c63d c0a8 1e01      E..4.(@. at ...846...=....
	c0a8 1e0c 0015 0401 0704 24b6 0630 cdea      ..........$..0..
	8010 3ebc 187e 0000 0101 080a 1d16 85c5      ..>..~..........
	0000 bb5e                                    ...^


More information about the Snort-users mailing list