OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chuck Kendzierski (cvkendzVISTO.COM)
Date: Mon Apr 02 2001 - 13:47:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jim,

        Have not seen the combination of flags described nor do I think they occurred naturally. I remember seeing something a while back about this. Check out the email snippet below. Note the source and destination ports. Sound familiar?

    Chuck Kendzierski

    Subject: TCP/21536 attack?
    From: "Gary Maltzen" <maltzenmm.com>
    Date: Tue, 14 Nov 2000 10:53:37 -0600
    To: "Firewalls List" <firewallslists.gnac.net>
    References: <B32F2F854D4CD311898B00508B444F7F0292BF5Aabz-irg-exs01.uk.saic.com>

    --------------------------------------------------------------------------------

    Is there a list more appropriate for 'what the heck is this' posts?

    It's not in /etc/services
    It's not in Graham http://www.robertgraham.com/pubs/firewall-seen.html
    It's not in Simovits http://www.simovits.com/nyheter9902.html
    It's not in TLSecurity http://www.tlsecurity.com/trojanh.htm
    It's not in advICE http://advice.networkice.com/advice/Exploits/Ports/

    Interestingly enough it's from tcp/18245 each time...

     From Poland
    Nov 12 11:59 CDT tcp 212.160.25.170(18245) -> 209.134.156.113(21536), 1
    packet
    Nov 12 16:05 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    packet
    Nov 12 16:11 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 6
    packets
    Nov 12 16:13 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    packet
    Nov 12 16:13 CDT tcp 212.160.25.123(18245) -> 209.134.156.113(21536), 1
    packet
     From Canada
    Nov 13 19:33 CDT tcp 209.213.239.60(18245) -> 209.134.156.113(21536), 1
    packet
     From Sweden
    Nov 14 03:57 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 1
    packet
    Nov 14 03:57 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 3
    packets
    Nov 14 03:58 CDT tcp 213.204.132.194(18245) -> 209.134.156.113(21536), 1
    packet

    Any clues?
    -TIA
     Gary

    -----Original Message-----
    From: Jim Franzen jim.franzenVOGON.SE
    Sent: Mon, 2 Apr 2001 17:29:29 +0200
    To: FOCUS-IDSSECURITYFOCUS.COM
    Subject: Strange Snort raport.

    Hi all.

    Snort picked up this earyler today:

    Apr 2 15:40:29 212.105.28.137:18245 -> x.x.x.x:21536 NOACK **U*PRS*
    Apr 2 15:40:35 212.105.28.137:1533 -> x.x.x.x:443 SYN ******S*
    Apr 2 15:40:51 212.105.28.137:18245 -> x.x.x.x:21536 INVALIDACK *2UA*R*F RESERVEDBITS
    Apr 2 15:40:56 212.105.28.137:18245 -> x.x.x.x:21536 INVALIDACK *2UA**S* RESERVEDBITS
    Apr 2 15:40:56 212.105.28.137:0 -> x.x.x.x:0 NULL ********

    Anyone who can cast some light on this for me?
    Is this a known attack or just jibberish?

    Thnx

    /Jim

    VOGON AB
    Smidesvägen 7, Box 1301, S-172 26 SUNDBYBERG, Sweden
    Phone: +46-8-627 48 02 Celluar: +46-709-26 86 89 Fax: +46-8-627 48 99
    email: jimvogon.se site: www.vogon.se
    cellmail: jim.mobilvogon.se

    ___________________________________________________________________________
    Visit http://www.visto.com/info, your free web-based communications center.
    Visto.com. Life on the Dot.