[Snort-users] Strange scan

Corne van Strien strien at ...4609...
Mon Jan 21 06:26:08 EST 2002


Hi,

I guess this might several things:

Trying to access a rsh daemon using IP spoofing and ISN value guessing, see
http://www.ebcvg.com/files/library/hacking/ip_spoofing.txt

a DOS attack meant for vulnerable RSH daemons.
An example of such a vulnerability:
http://www.securitytracker.com/alerts/2001/Dec/1002930.html

    Kind regards,

    Corne van Strien.

----- Original Message -----
From: "Michael Schwartzkopff" <misch at ...4627...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, January 21, 2002 1:30 PM
Subject: [Snort-users] Strange scan


> Hi,
>
> I get some strange scans for some weeks now. The scans would not stop so I
> decided to investigate it further and did set up some tcpdump. Please see
the
> file attached. Can please someone help me to explain the aim of this scan
?
> There are some strange things in this scan:
>
> 1) The scan originates from a private IP Adress, but it is a TCP SYN scan.
So
> the scanner wants an answer, but this should be difficult using a private
> source address in the internet.
>
> 2) When he wants to get the answer he should be located somewhere close to
> our net to catch the answer of our system. But the TTL of 241 tells me the
he
> is most propably 14 hops (255 - 241) away. That soome to be far for an
answer
> to a private IP address.
>
> 3) Can somebody explain what OS is running with that characteristics ?
>
> Thanks for any help.
>
>
> --
> Dr. Michael Schwartzkopff
> Multinet GmbH
> Bretonischer Ring 7
> 85630 Grasbrunn
>
> Tel: (+49 89) 456 911 50
> Fax: (+49 89) 456 911 21





More information about the Snort-users mailing list