OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: smarkacz (smarkaczANATHEMA.EU.ORG)
Date: Sat Jan 13 2001 - 15:18:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Fulton L. Preston Jr." <fultonPRESTONS.ORG> wrote:
    > For the last few months I have seen scans for port 21536 from port 18245
    > to my various web servers.

    I do not consider them `scans'. But they might be..

    > I have searched the mail archives on SecurityFocus and have found
    > several people on several lists ask about them and I found only one
    > response, which seems ok, but I want to confirm it.
    >
    > smarkaczanathema.eu.org wrote to the lists:
    >
    > "We have seen it for several months[2] in Poland, these packets are
    > generated by some brain damaged device (I don't know what this is); they
    > would be correct TCP packets if something did not strip TCP header
    > placing HTTP request right after the IP header. Look at the numbers and
    > you'll see that such damaged packet will be resolved to `port 21536
    > probe' - "GET " resolves to ports 18245 -> 21536."
    >
    > He even claims to be able to reproduce it if he dials into some public
    > ISP in Poland and connect to his machines on any port such as telnet or
    > ssh.

    I do not. Especially I do not claim to be able to make this device
    (probably Nortel CVX) to damage my packets to appear as 18245>21536
    when I use ssh, just because "SSH-" is not "GET ".

    I have seen plenty of packets with this ports' pair in my firewall
    logs and been amazed. I used to think they were generated by some
    nmap-alike tool doing active OS fingerprint. I just couldn't imagine
    why a fingerprinting tool would use fixed ports pair. Yes, it could
    have been a lazy coder, but it made me run tcpdump to look into them,
    and that's what I've found:

    10:06:19.235208 213.76.114.40.18245 > 212.244.100.102.21536: SE
    795438439:795438776(337) ack 794976622 win 12147 urg 28261
    <[bad opt]> (DF)
      0000: 4500 017d 5d03 4000 7906 22a8 d54c 7228 E..}]..y."..Lr(
      0010: d4f4 6466 4745 5420 2f69 6d67 2f62 616e ..dfGET /img/ban
      0020: 6572 2f73 7964 6e65 7932 3030 302e 6a70 er/sydney2000.jp
      0030: 6720 4854 5450 2f31 2e31 0d0a 4163 6365 g HTTP/1.1..Acce
      0040: 7074 3a20 2a2f 2a0d 0a52 6566 6572 6572 pt: */*..Referer
      0050: 3a20 :

    You can see a HTTP request for a JPEG image. Nice. But it starts at
    offset 20, not 40 as it should (please, don't tell me about IP options
    et al.). Your machine treats it as a normal packet, though, hence
    `scans of 21536' are logged.

    > I might accept this but the sources of the scans I see are from the US
    > (I'm in the US too). The scans so far have come from the west coast.

    I was wrong. I considered it a misconfiguration of some kind of
    transparent proxy. I've seen such packets `originating' only from
    Polish Telecom public dialups. It's nothing strange, I run a firewall
    protecting an e-commerce site targetted at Polish customers, but it
    made me think of this issue as specific to PT. Again, I was wrong.

    > Now if it is a misconfigured device I could believe the traffic to be
    > innocent but what I get are actual slow scans across my various IP
    > spaces in sequential order. This would indicate a "scan" in my book and
    > not just some odd device causing this from casual browsing (though it
    > could be scans from behind a broken device, that makes it easy to "tag"
    > as a signature for IDS)

    Ports 18245>21536 are nothing special. But, using these ports you can
    fingerprint some machines while being ignored by their admins ranting
    at another braindamaged CVX(?).

    > To make it even more complicated, not all scans look at port 80. Some
    > don't even look at anything at all except port 21536. Most do look for
    > port 80 though after a connection is attempted to 21536.

    First, HTTP service != port 80. I can easily configure most HTTP
    servers to listen on an arbitrary port. Second, 18245>21536 packets
    seem to be quite common, they can probably be used by some scanning or
    fingerprinting tool now. Such a nice opportunity - use these ports and
    your attempts will probably get ignored.

    > I know a few people have seen this. Anyone else lurking on the list
    > seen this activity? Anyone else have anything to offer on this? I am
    > really interested in knowing if it is a router causing this. If it
    > isn't a router, what the heck are they looking for?

    I don't know. I believe most of those packets are generated by
    abovementioned device (CVX?), but someone could use them to
    fingerprint your OS. 

    -- 
*** smarkacz (smarkaczanathema.eu.org)  --  Jacek P. Szymański
Kolejny program na linuxa od nowa odkrywa Amerykę bo nie ma gotowych
rozwiązań.
                                            -- Piotr Trzcionkowski