> For the last few months I have seen scans for port 21536 from port 18245
> to my various web servers. I have searched the mail archives on
> SecurityFocus and have found several people on several lists ask about
> them and I found only one response, which seems ok, but I want to
> confirm it.
>
> smarkaczanathema.eu.org wrote to the lists:
>
> "We have seen it for several months[2] in Poland, these packets are
> generated by some brain damaged device (I don't know what this is); they
> would be correct TCP packets if something did not strip TCP header
> placing HTTP request right after the IP header. Look at the numbers and
> you'll see that such damaged packet will be resolved to `port 21536
> probe' - "GET " resolves to ports 18245 -> 21536."

[snip]

> I might accept this but the sources of the scans I see are from the US
> (I'm in the US too). The scans so far have come from the west coast.
> Now if it is a misconfigured device I could believe the traffic to be
> innocent but what I get are actual slow scans across my various IP
> spaces in sequential order. This would indicate a "scan" in my book and
> not just some odd device causing this from casual browsing (though it
> could be scans from behind a broken device, that makes it easy to "tag"
> as a signature for IDS)
>
> To make it even more complicated, not all scans look at port 80. Some
> don't even look at anything at all except port 21536. Most do look for
> port 80 though after a connection is attempted to 21536.

[snip]

I think that if I were some smart scanning dude or dudette out there, and
a scanning pattern was "identified" as a "misconfigured device", I'd
probably make sure my port scan duplicated this type of traffic.

Often times people will post logs leaving the source address in, which is
simply gold for those wishing to populate their nmap decoys. I'd bet
dollars to donuts that most of the readers on this list when they see they
that "they too got a scan from that pesky address" naturally assume it is
not a decoy scan, making the real scan look like the decoy one.

If I wanted to be REALLY evil, I could do the following:

1. Scan large sections of the Internet with a forged source address and
several decoys with nmap.
2. Wait for someone on this list to say something about it, or optionally
say something about it myself.
3. I post a message from my day job stating "oh I spoke to blahblahblah
about this and it is a misconfigured device/reported to the ISP/whatever".
4. At night I use this information to start my own serious scans using
these forged addresses as decoys with my real address thrown in. I could
simply continue the scans, or I could aim them at the address space of
posters to this list (a lot of you post from the Internet domain you are
protecting).

As a security-conscious kind of guy, I am surprised by the tone of this
list which seems to trust every message posted to it. Certainly I am not
the first person to think of this type of thing. There has always been the
argument on Bugtraq that the bad guys read Bugtraq, I think one should
assume the same here.

- Simple Nomad - "No rest for the Wicca'd" -
- thegnomenmrc.org - -
- thegnomerazor.bindview.com - www.nmrc.org razor.bindview.com -

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]