OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wolf, Glenn (glenn.wolf_at_we-inc.com)
Date: Fri Jul 12 2002 - 17:13:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Check out this posting:

    http://groups.google.com/groups?q=%22CWR+ECE+SYN%22&hl=en&lr=&ie=UTF-8&oe=UT
    F-8&selm=1015153098.7313.0.nnrp-12.c1ed31d9%40news.demon.co.uk&rnum=3

    -----------------------

    On Sat, 02 Mar 2002 16:09:52 +0000, Calum wrote:

    > Hello All,
    >
    > Just wondering if anyone has seen activity from sinectis.com.ar?
    > I have seen them in my logs before.
    > Most recent:
    >
    > Mar 2 16:04:37 mercury kernel: IN=eth1 OUT=
    > MAC=00:40:95:43:6f:50:00:d0:ba:1f:0d:54:08:00 SRC=216.244.192.23
    > DST=my.ip.add.ress LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=32940 DF
    > PROTO=TCP SPT=65280 DPT=39255 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
    >
    > What are the CWR and ECE flags?

    CWR and ECE are used in the SYN packet sent by a host with Explicit
    Congestion Notification enabled. Some versions of kernel 2.4 had this
    enabled by default (and it's still user-configurable) so if the packet is
    legit, it's a fair bet they're using said kernel version.

    > What is he looking for on port 39255

    <http://www.portsdb.org> doesn't list anything, so I suspect they were
    probing to see if you were protected by a Cisco PIX firewall. Some
    versions of PIX silently drop packets with ECE/CWR flags set (as they're
    reserved in RFC 793). If you're allowing SYNs to that port, then they'll
    normally get a TCP RST (if nothing's listening), SYN-ACK (if something
    is) and/or one of a number of ICMP *-unreachable messages. If you had a
    PIX firewall there, they'd get nothing back. If they send a two probes,
    one with ECE/CWR set, and one not, then that'll give them a strong clue
    as to whether you're a fan of the Beast of San Francisco.

    > Add them to the deny-no-matter-what list, I think.
    >
    > Might be worth a message to their sysadmins too...

    Best Regards,
    Alex.

    -----------------------

    -----Original Message-----
    From: Adam Young [mailto:adamvbfx.com]
    Sent: Thursday, July 11, 2002 6:57 PM
    To: incidentssecurityfocus.com
    Subject: Another odd scan...

    --SNIP--
    Jul 11 21:52:48 element kernel: (catch-all logging):: IN=eth0 OUT= MAC=*
    SRC=80.97.2.93 DST=24.215.x.y LEN=60 TOS=0x00 PREC=0x00 TTL=34 ID=64252
    DF PROTO=TCP SPT=33124 DPT=77 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
    --SNIP--

            I got this for about 2 minutes, every 20 seconds or so, I just
    thought
    it especially weird with "CWR ECE SYN", looking as to what the meaning
    of this is.

            Any help is appreciated greatly,

                    Adam

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com