|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jackson, John (John.Jackson
SAVVIS.NET)Date: Fri Jan 19 2001 - 13:58:46 CST
This is probably the synscan tool that Ramen uses, and I was able to
confirm that the host that scanned you (216.94.60.156) is infected
with Ramen.
I noticed the same ID of 39426 in my :21->:21 received scans, and
confirmed by telnetting to port 27374 of the sender that Ramen was
being served there. (hah, a pun! :)
.nhoJ
| -----Original Message-----
| From: r4gn4r0k [mailto:r4gn4r0kTELUS.NET]
| Sent: Friday, January 19, 2001 2:44 AM
| To: INCIDENTSSECURITYFOCUS.COM
| Subject: any idea of the kiddie-script tool crafting these SYN-FIN
| packets to user selectable destination ports
|
|
| anyone know the name(s) and/or a url to find the tool?
|
| may be one tool or family of tools derived from the same base
| code (note the hand-crafted ID always = 39426 and the Advertised
| Window = 0x404)
|
| I'm trying to correlate what I'm seeing on snort with what my personal
| firwall is logging and I want to be able to generate the traffic myself
| (tired of having to wait hours or days between random tests to be
| farted out of the global sewer).
|
| TIA
|
| /r
|
| Sample TCPDUMP output:
| 13:48:34.322789 eth0 P 216.94.60.156.ftp > mypc.any.org.ftp: SF
| 1808792213:1808792213(0) win 1028 (ttl 32, id 39426)
|
| Snort Alerts:
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/17-13:48:34.322789 216.94.60.156:21 -> mypc.any.org:21
| TCP TTL:32 TOS:0x0 ID:39426
| ******SF Seq: 0x6BCFFA95 Ack: 0x2A10533A Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/05-12:12:39.719091 63.192.141.74:9704 -> mypc.any.org:9704
| TCP TTL:28 TOS:0x0 ID:39426
| ******SF Seq: 0x2703CFEA Ack: 0x61CCA06C Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/06-03:56:13.515113 210.97.240.11:53 -> mypc.any.org:53
| TCP TTL:30 TOS:0x0 ID:39426
| ******SF Seq: 0x6FF04448 Ack: 0x4D87885F Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/06-09:54:25.972394 202.190.201.1:21 -> mypc.any.org:21
| TCP TTL:28 TOS:0x0 ID:39426
| ******SF Seq: 0x54C519C7 Ack: 0x4D77D9B4 Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/07-01:02:20.752179 62.149.151.160:110 -> mypc.any.org:110
| TCP TTL:27 TOS:0x0 ID:39426
| ******SF Seq: 0x34FF17B7 Ack: 0x786DB88A Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/07-15:01:54.877206 158.42.57.42:111 -> mypc.any.org:111
| TCP TTL:31 TOS:0x0 ID:39426
| ******SF Seq: 0x2837B8A6 Ack: 0x2AEF650D Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/13-17:53:45.478701 62.98.137.208:21 -> mypc.any.org:21
| TCP TTL:25 TOS:0x0 ID:39426
| ******SF Seq: 0x68AEE551 Ack: 0x8A124BE Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/17-20:35:18.211718 64.248.77.18:21 -> mypc.any.org:21
| TCP TTL:28 TOS:0x0 ID:39426
| ******SF Seq: 0x7B63CDF2 Ack: 0x2917D0D3 Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/18-02:37:35.013479 216.162.96.39:21 -> mypc.any.org:21
| TCP TTL:33 TOS:0x0 ID:39426
| ******SF Seq: 0x791F0C00 Ack: 0x740815C2 Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/18-02:42:25.382507 64.148.165.60:21 -> mypc.any.org:21
| TCP TTL:29 TOS:0x0 ID:39426
| ******SF Seq: 0x791F0C00 Ack: 0x740815C2 Win: 0x404
|
| [**] IDS198 - SCAN-SYN FIN [**]
| 01/18-12:18:37.819176 150.131.108.239:21 -> mypc.any.org:21
| TCP TTL:30 TOS:0x0 ID:39426
| ******SF Seq: 0x484A23DD Ack: 0x2277E3D Win: 0x404
|
| THE END
|
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]