Re: 1-to-many port "scan"s?

From: Wojtek Walczak (gminick@hacker.pl)
Date: 12/21/02

Next message: Wojtek Walczak: "Re: Security of some perl scripts"
Previous message: Tim Haynes: "Re: Netstat -a shows TONS of SYN_RCVD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Wojtek Walczak <gminick@hacker.pl>
Date: Sat, 21 Dec 2002 13:32:15 +0000 (UTC)

Dnia Tue, 26 Nov 2002 16:01:54 +0000, Tim Haynes napisał(a):
> In the past 24hrs I've experienced some strange phenomena with one source
> IP# apparently emitting a few UDP packets from the same source-port to
> several destination-ports on my box. There are two separate sources
> indicted in the logs; TTLs vary wildly between successive packets, so I'm
> rather suspicious of them all being spoofed (mtr back to these boxes shows
> approximately 10-11 hops from me; the japanese one is currently suffering a
> seeming infinite routing loop).
>
> Has anyone seen this before? Or know of a particular tool or phenomenon
> that would give rise to this?
No, but it's easy to write one (here using simple tcp connect() method):
---
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/inet.h>

int main(int argc, char **argv)
{
struct sockaddr_in serv, ja;
int sockfd, i, on = 1;

   for(i=1080; i<1090; i++) {
      sockfd = socket(AF_INET, SOCK_STREAM, 0);
      setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));

      ja.sin_family = AF_INET;
      ja.sin_port = htons(31337); /* our source port */
      ja.sin_addr.s_addr = inet_addr("127.0.0.1");
      if(bind(sockfd, (struct sockaddr *)&ja, sizeof(ja))==-1) {
         fprintf(stderr, "bind() error: %s\n", strerror(errno));
         exit(errno);
      }

      serv.sin_family = AF_INET;
      serv.sin_port = htons(i); /* dst port == i */
      serv.sin_addr.s_addr = inet_addr("127.0.0.1");

      connect(sockfd, (struct sockaddr *)&serv, sizeof(serv));
      close(sockfd);
   }
   return 0;
}

---
from user:
% gcc scan.c
% ./a.out
from root:
# cd /var/log/lo-snort-logs
# ls
TCP:31337-1080  TCP:31337-1082  TCP:31337-1084  TCP:31337-1086  TCP:31337-1088
TCP:31337-1081  TCP:31337-1083  TCP:31337-1085  TCP:31337-1087  TCP:31337-1089
#
-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]

Next message: Wojtek Walczak: "Re: Security of some perl scripts"
Previous message: Tim Haynes: "Re: Netstat -a shows TONS of SYN_RCVD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]