Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: ????? Something new ??????

  1. #11
    Hum... Why does it not surprise that you got this hit from a windows Box.


    Ugh...
    /me hangs his head in shame, and says "I haven't been to sleep yet"

    I am actually interested if your FW at work has been picking this up to.

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    The other thing I was thinking about was that someone stuck something other than SFLM on the port (game server, kazaa) and these machines were looking for it. Perhaps a link on a website or something, and again it's a transposed/error ip?

    And well, if I intend to get work done today, I get up early so I can get into my office before my colleagues (they tend to yap far more than I like.. )..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Whiz: Well, considering 90%+ of the boxes out there are winx I'd say that the probabilities would be quite high.....

    Ms. M: I think you have the answer somewhere there. My firewall is utterly devoid of SYN's on that port as are my other monitors so nothing was pointed at my netblock all day yesterday.

    Why does this crap always happen to me..... or am I just overly paranoid?

    they tend to yap far more than I like..
    Yeah, I'm surrounded by social workers..... I sometimes think that they are under the impression that the organization is a social outlet for their gossip, baby showers, going away parties etc. etc. etc. I don't know how they ever get any work done......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Why does this crap always happen to me..... or am I just overly paranoid?
    Naw.. other people aren't paranoid enough. I bet someone is on your network who shares out something. Maybe a quick scan of the subnet to see who might have something shared out on that port would give better details. I'm betting this is the more likely answer since it is SYN packets (first part of the 3-way handshake and the start of any service).

    Have you run tcpdump or something to see if there is more there (like data info?)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't really want to start any scanning activity of that network. The DSL connection belongs to a friend in his business location. It just happens to be next door to my "watering hole"... He needed some help adding multiple machines to the connection, I had a WAP lying around doing nothing and a laptop with a wireless card that was equally unemployed.... I figured out that we could all be happy and went ahead and set it all up, (yes, he's fully aware... In fact when he comes into the pub his first comment is "Get out of my computer"... Moi??? ). Thus, to use his connection to scan his ISP's customers would be inviting trouble.....

    I didn't have Ethereal with me and didn't think about packet dumping at that point but I'll be back there tonight and if it's still going on I'll take a look.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #16
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    WAP?! You didn't mention that... geez... Ummm... Wardriving by some perhaps?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ms. M: WAP, not mentioned? Sure was:-

    The setup I have is a wireless laptop on the DMZ port of a linksys WAP.
    You got up too early Ma'am.... .... and if it was a wardriver he wouldn't be getting SYN's from all over the world.... I'd have been seeing them from a local address which would be a little hard since it is MAC filtered to my card and one other that wasn't present at the time.

    It's inbound down the DSL, there's no doubt about that unless you have another idea.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Outside of misdirected address, the only other thing, given that the addresses are primarily Win (the remaining ones are unknowns I take it?) is that there is a new worm and it attempting to propogate on this port picked by the creator. The data from the SYN packets (if there is any) might give a clue on that.. Don't suppose you have a spare box with which to open a port and tarpit the connection?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'll see if it is still happening tonight and work from there. If it has stopped then I would run with your first thought about misdirected DNS.... If not then I'll run p0f to passively footprint the connections to get a better view of the connecting machines and then ethereal the port to see if there is anything unusual with the SYN packets.

    Thanks for the help.... I need all the additional brain cells I can get sometimes....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok Ms. M, I'm going to go with your Kazaa theory but I'll twist it slightly......

    I am not seeing this traffic at home - nor am I seeing it at work. No-one else is owning up to seeing it so we can reasonably conclude that it isn't some new worm since the scans would be more widespread.

    I unleashed p0f, (passive fingerprinter), on the connections with the packet dump switch on, cleaned it up a little and came up with this:-

    <Mon Nov 03 16:46:33 2003> 200.247.206.23/radioaru.contato.net:3249 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    -> 192.168.1.100/MyComputer:3162 (distance 19, link: pppoe (DSL))
    [00] 45 00 00 30 db ea 40 00 6d 06 d8 c1 c8 f7 ce 17 | E..0..@.m.......
    [10] c0 a8 01 64 0c b1 0c 5a 66 8c a8 76 00 00 00 00 | ...d...Zf..v....
    [20] 70 02 40 00 c1 fd 00 00 02 04 05 ac 01 01 04 02 | p.@.............

    <Mon Nov 03 16:46:51 2003> 81.15.218.252/masqte.daminet.pl:3469 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    -> 192.168.1.100/MyComputer:3162 (distance 16, link: IPSec/GRE)
    [00] 45 00 00 30 c4 2a 40 00 70 06 58 85 51 0f da fc | E..0.*@.p.X.Q...
    [10] c0 a8 01 64 0d 8d 0c 5a 80 cf a2 24 00 00 00 00 | ...d...Z...$....
    [20] 70 02 40 00 18 44 00 00 02 04 05 9c 01 01 04 02 | p.@..D..........

    <Mon Nov 03 16:46:52 2003> 80.54.170.49/zy49.neoplus.adsl.tpnet.pl:4910 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    -> 192.168.1.100/MyComputer:3162 (distance 19, link: pppoe (DSL))
    [00] 45 00 00 30 91 a4 40 00 6d 06 bf af 50 36 aa 31 | E..0..@.m...P6.1
    [10] c0 a8 01 64 13 2e 0c 5a 08 47 3a 26 00 00 00 00 | ...d...Z.G:&....
    [20] 70 02 40 00 24 be 00 00 02 04 05 ac 01 01 04 02 | p.@.$...........

    <Mon Nov 03 16:46:52 2003> 81.15.218.252/masqte.daminet.pl:3469 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    -> 192.168.1.100/MyComputer:3162 (distance 16, link: IPSec/GRE)
    [00] 45 00 00 30 c4 2d 40 00 70 06 58 82 51 0f da fc | E..0.-@.p.X.Q...
    [10] c0 a8 01 64 0d 8d 0c 5a 80 cf a2 24 00 00 00 00 | ...d...Z...$....
    [20] 70 02 40 00 18 44 00 00 02 04 05 9c 01 01 04 02 | p.@..D..........

    <Mon Nov 03 16:46:53 2003> 67.112.91.235:4642 - Windows 2000 SP4, XP SP 1 (2)
    -> 192.168.1.100/MyComputer:3162 (distance 14, link: IPv6/IPIP)
    [00] 45 00 00 30 ac ef 40 00 72 06 fa 70 43 70 5b eb | E..0..@.r..pCp[.
    [10] c0 a8 01 64 12 22 0c 5a ad fa 76 57 00 00 00 00 | ...d.".Z..vW....
    [20] 70 02 fd 20 e1 dc 00 00 02 04 05 a0 01 01 04 02 | p.. ............

    <Mon Nov 03 16:47:10 2003> 200.53.245.29/cablec5oug.cybercable.net.mx:1857 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    -> 192.168.1.100/MyComputer:3162 (distance 24, link: GPRS, T1, FreeS/WAN)
    [00] 45 00 00 30 47 dc 40 00 68 06 4b 8c c8 35 f5 1d | E..0G.@.h.K..5..
    [10] c0 a8 01 64 07 41 0c 5a 10 3c d3 4d 00 00 00 00 | ...d.A.Z.<.M....
    [20] 70 02 40 00 cc ea 00 00 02 04 05 64 01 01 04 02 | p.@........d....

    <Mon Nov 03 16:47:12 2003> 81.128.136.70:33634 - Windows XP Pro SP1, 2000 SP3 (NAT!)
    -> 192.168.1.100/MyComputer:3162 (distance 19, link: sometimes DSL (1))
    [00] 45 00 00 30 c4 c1 40 00 6d 06 ad 33 51 80 88 46 | E..0..@.m..3Q..F
    [10] c0 a8 01 64 83 62 0c 5a 68 f7 cd 72 00 00 00 00 | ...d.b.Zh..r....
    [20] 70 02 fa f0 26 bf 00 00 02 04 05 2a 01 01 04 02 | p...&......*....

    <Mon Nov 03 16:47:20 2003> 68.167.66.169:4404 - Windows 2000 SP4, XP SP 1 (2)
    -> 192.168.1.100/MyComputer:3162 (distance 15, link: IPv6/IPIP)
    [00] 45 00 00 30 51 b3 40 00 71 06 6e b8 44 a7 42 a9 | E..0Q.@.q.n.D.B.
    [10] c0 a8 01 64 11 34 0c 5a 9f 2a c9 d3 00 00 00 00 | ...d.4.Z.*......
    [20] 70 02 fd 20 b6 29 00 00 02 04 05 a0 01 01 04 02 | p.. .)..........

    As you can see the SYN's, (P0f only traps the SYN's unless I add some other switches), come from everywhere.... What is interesting is the type of connection the remote's are using.... IPv6, IPSec/GRE????? Encrypted traffic.... IPv6?.... So it must be using 6to4 to route and connect.... So it isn't normal traffic.... But it is pointed at me.....

    Granted, I haven't gone and looked at my friends 2 machines, (Win98 and a Mac), but I would _guess_ it isn't down to them. If it is.... I'll throttle him.....

    What I do think is that the IP address for the PPOE his DSL uses has rotated and someone else had this one previously, (I don't watch for this IP changing but I have noticed that it does rotate). I also think they may have been running something like Earthstation 5 which uses proxies and encryption heavily to hide the activity.... But it isn't ES5 from what I have seen because it doesn't use GRE/IPv6.... It's SSL/proxied as far as I know.

    Comments/thoughts?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •