FW: IANA Reserved IP Source scans 55808
From: Taylor, David (ltr_at_nursing.upenn.edu)
Date: 06/20/03
- Previous message: Joe Stewart: "sdbot variant and winsize 55808 activity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'intrusions@incidents.org'" <intrusions@incidents.org>, "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Thu, 19 Jun 2003 19:58:37 -0400
I would like to go ahead and resend this email I had sent to
intrusions@incidents on June 4th in the event it may add some helpful info
on this window size 55808 thing.
In the capture below it does in fact show a window size of 55808 but the
only thing I logged during this time was from a single IP address. And if
you look at the payload it is different than the ones we see now.
Dave
-----Original Message-----
From: Taylor, David
Sent: Wednesday, June 04, 2003 8:58 AM
To: intrusions@incidents.org
Subject: IANA Reserved IP Source scans
Over the last few days I have noticed a system periodically scanning my
network. Has anyone else seen anything like this?
Comes from the same IP, same Source Port and Same destination port. The
scans are sporadic but persistent.
Thanks,
David Taylor
Network Manager
School of Nursing
University of Pennsylvania
http://www.nursing.upenn.edu/otis
TIMESTAMP SOURCE IP DEST PORT COUNT SOURCE PORT
2003-05-23 17:03:23 58.221.176.240 port=46637 1 37104
2003-05-24 08:31:55 58.221.176.240 port=46637 1 37104
2003-05-24 19:58:07 58.221.176.240 port=46637 1 37104
2003-05-25 04:22:55 58.221.176.240 port=46637 1 37104
2003-05-26 03:33:02 58.221.176.240 port=46637 1 37104
2003-05-27 13:16:46 58.221.176.240 port=46637 1 37104
2003-05-27 17:52:28 58.221.176.240 port=46637 1 37104
2003-05-28 12:03:13 58.221.176.240 port=46637 1 37104
2003-05-28 13:50:25 58.221.176.240 port=46637 1 37104
2003-05-29 11:53:31 58.221.176.240 port=46637 7 37104
2003-05-29 13:27:12 58.221.176.240 port=46637 1 37104
2003-05-29 17:32:02 58.221.176.240 port=46637 2 37104
2003-05-29 19:36:34 58.221.176.240 port=46637 1 37104
2003-05-29 22:11:30 58.221.176.240 port=46637 1 37104
2003-05-29 22:31:36 58.221.176.240 port=46637 1 37104
2003-05-30 03:24:48 58.221.176.240 port=46637 1 37104
2003-05-30 06:49:08 58.221.176.240 port=46637 1 37104
2003-05-30 17:30:17 58.221.176.240 port=46637 1 37104
2003-05-30 20:31:02 58.221.176.240 port=46637 1 37104
2003-06-01 14:07:15 58.221.176.240 port=46637 1 37104
2003-06-01 16:42:56 58.221.176.240 port=46637 1 37104
2003-06-01 19:45:33 58.221.176.240 port=46637 1 37104
2003-06-01 20:44:58 58.221.176.240 port=46637 1 37104
2003-06-02 01:40:13 58.221.176.240 port=46637 1 37104
2003-06-02 09:15:45 58.221.176.240 port=46637 1 37104
2003-06-02 11:03:54 58.221.176.240 port=46637 1 37104
2003-06-02 15:08:13 58.221.176.240 port=46637 1 37104
2003-06-02 16:21:34 58.221.176.240 port=46637 1 37104
2003-06-02 16:57:19 58.221.176.240 port=46637 1 37104
2003-06-02 19:48:18 58.221.176.240 port=46637 1 37104
2003-06-02 20:18:30 58.221.176.240 port=46637 1 37104
2003-06-02 23:09:51 58.221.176.240 port=46637 1 37104
2003-06-03 07:57:01 58.221.176.240 port=46637 3 37104
2003-06-03 11:17:08 58.221.176.240 port=46637 1 37104
2003-06-03 15:06:17 58.221.176.240 port=46637 1 37104
2003-06-03 15:36:21 58.221.176.240 port=46637 1 37104
2003-06-04 08:57:48 58.221.176.240 port=46637 19 37104
Frame 10 (66 bytes on wire, 66 bytes captured)
Arrival Time: Jun 3, 2003 12:20:29.880524000
Time delta from previous packet: 1615.688596000 seconds
Time relative to first packet: 1669.478624000 seconds
Frame Number: 10
Packet Length: 66 bytes
Capture Length: 66 bytes
Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82
Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82)
Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07)
Type: IP (0x0800)
Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr:
m.y.i.p (m.y.i.p)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0xf380
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 107
Protocol: TCP (0x06)
Header checksum: 0x4f0b (correct)
Source: 58.221.176.240 (58.221.176.240)
Destination: m.y.i.p (m.y.i.p)
Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637
(46637), Seq: 3506558330, Ack: 0, Len: 0
Source port: 37104 (37104)
Destination port: 46637 (46637)
Sequence number: 3506558330
Header length: 32 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 55808
Checksum: 0x9a42 (correct)
Options: (12 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 2 (multiply by 4)
NOP
NOP
SACK permitted
0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E.
0010 00 34 f3 80 00 00 6b 06 4f 0b 3a dd b0 f0 82 5b .4....k.O.:....[
0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z......
0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............
0040 04 02 ..
Frame 11 (66 bytes on wire, 66 bytes captured)
Arrival Time: Jun 3, 2003 13:13:26.221161000
Time delta from previous packet: 3176.340637000 seconds
Time relative to first packet: 4845.819261000 seconds
Frame Number: 11
Packet Length: 66 bytes
Capture Length: 66 bytes
Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82
Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82)
Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07)
Type: IP (0x0800)
Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr:
m.y.i.p (m.y.i.p)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0xe5a7
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 105
Protocol: TCP (0x06)
Header checksum: 0x5ee4 (correct)
Source: 58.221.176.240 (58.221.176.240)
Destination: m.y.i.p (m.y.i.p)
Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637
(46637), Seq: 3506558330, Ack: 0, Len: 0
Source port: 37104 (37104)
Destination port: 46637 (46637)
Sequence number: 3506558330
Header length: 32 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 55808
Checksum: 0x9a42 (correct)
Options: (12 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 2 (multiply by 4)
NOP
NOP
SACK permitted
0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E.
0010 00 34 e5 a7 00 00 69 06 5e e4 3a dd b0 f0 82 5b .4....i.^.:....[
0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z......
0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............
0040 04 02 ..
Frame 12 (66 bytes on wire, 66 bytes captured)
Arrival Time: Jun 3, 2003 13:30:19.245957000
Time delta from previous packet: 1013.024796000 seconds
Time relative to first packet: 5858.844057000 seconds
Frame Number: 12
Packet Length: 66 bytes
Capture Length: 66 bytes
Ethernet II, Src: 00:30:b6:d1:86:07, Dst: 00:b0:d0:f7:a6:82
Destination: 00:b0:d0:f7:a6:82 (Dell_f7:a6:82)
Source: 00:30:b6:d1:86:07 (Cisco_d1:86:07)
Type: IP (0x0800)
Internet Protocol, Src Addr: 58.221.176.240 (58.221.176.240), Dst Addr:
m.y.i.p (m.y.i.p)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0xf380
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 116
Protocol: TCP (0x06)
Header checksum: 0x460b (correct)
Source: 58.221.176.240 (58.221.176.240)
Destination: m.y.i.p (m.y.i.p)
Transmission Control Protocol, Src Port: 37104 (37104), Dst Port: 46637
(46637), Seq: 3506558330, Ack: 0, Len: 0
Source port: 37104 (37104)
Destination port: 46637 (46637)
Sequence number: 3506558330
Header length: 32 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 55808
Checksum: 0x9a42 (correct)
Options: (12 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 2 (multiply by 4)
NOP
NOP
SACK permitted
0000 00 b0 d0 f7 a6 82 00 30 b6 d1 86 07 08 00 45 00 .......0......E.
0010 00 34 f3 80 00 00 74 06 46 0b 3a dd b0 f0 82 5b .4....t.F.:....[
0020 9f 0f 90 f0 b6 2d d1 01 d5 7a 00 00 00 00 80 02 .....-...z......
0030 da 00 9a 42 00 00 02 04 05 b4 01 03 03 02 01 01 ...B............
0040 04 02 ..
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Joe Stewart: "sdbot variant and winsize 55808 activity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
