Re: odd scans?

From: Kyle R. Hofmann (krh@lemniscate.net)
Date: 05/24/02


To: "Scott, Michael R." <MICHAEL.R.SCOTT@saic.com>
Date: Fri, 24 May 2002 11:21:24 -0700
From: "Kyle R. Hofmann" <krh@lemniscate.net>

On Fri, 24 May 2002 10:16:20 -0700, "Scott, Michael R." wrote:
> Anyone recognize this or have a clue what they're looking for (covert
> channel, root shell) or what tool is responsible? The source and dest ports
> are almost as randomly distributed across the high range as the location of
> the source IPs are across the globe, but notice that the same two ack
> numbers repeat across all the source IPs.

I've seen similar behavior from a misbehaving Linux 2.2.19 system. I don't
know what triggered it, but it began trying to reset connections that weren't
there:

05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0
05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0
05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0
05:53:51.592544 xxx.62176 > yyy.zz: R 1060356:1060356(0) win 0
06:05:58.786207 xxx.62177 > yyy.zz: R 1060312:1060312(0) win 0
06:06:01.116313 xxx.62177 > yyy.zz: R 1060356:1060356(0) win 0
06:18:21.837972 xxx.62178 > yyy.zz: R 1060312:1060312(0) win 0
06:18:21.854618 xxx.62178 > yyy.zz: R 1060356:1060356(0) win 0
06:26:22.898850 xxx.62179 > yyy.zz: R 1060312:1060312(0) win 0
06:30:26.618631 xxx.62180 > yyy.zz: R 1060356:1060356(0) win 0

It did this for weeks. You can see the outline of a pattern in the excerpt
I've included: Send a RST for each of the two sequence numbers, wait ~12
seconds, increment port number, and try again. It didn't keep very strictly
to the pattern, though, but that seems to match your experiences.

The solution for me was to flush and reload the Linux machine's ipchains
rules. I don't have a good guess as to what was going on, but I suspect that
it had to do with firewalling and NAT (The Linux machine in question has some
firewalling rules and does NAT for two machines). It's possible that you're
seeing the same problem, but from someone with a different setup or a
different (but still buggy) kernel.

-- 
Kyle R. Hofmann <krh@lemniscate.net>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com