Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Scans of 21536
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Scans of 21536
  • From: smarkacz <[EMAIL PROTECTED]>
  • Date: Sun, 14 Jan 2001 00:38:40 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
"Fulton L. Preston Jr." <[EMAIL PROTECTED]> wrote:
> For the last few months I have seen scans for port 21536 from port 18245
> to my various web servers.  

I do not consider them `scans'. But they might be..

> I have searched the mail archives on SecurityFocus and have found
> several people on several lists ask about them and I found only one
> response, which seems ok, but I want to confirm it.
> 
> [EMAIL PROTECTED] wrote to the lists:
> 
> "We have seen it for several months[2] in Poland, these packets are
> generated by some brain damaged device (I don't know what this is); they
> would be correct TCP packets if something did not strip TCP header
> placing HTTP request right after the IP header. Look at the numbers and
> you'll see that such damaged packet will be resolved to `port 21536
> probe' - "GET " resolves to ports 18245 -> 21536."
> 
> He even claims to be able to reproduce it if he dials into some public
> ISP in Poland and connect to his machines on any port such as telnet or
> ssh.

I do not. Especially I do not claim to be able to make this device
(probably Nortel CVX) to damage my packets to appear as 18245>21536
when I use ssh, just because "SSH-" is not "GET ".

I have seen plenty of packets with this ports' pair in my firewall
logs and been amazed. I used to think they were generated by some
nmap-alike tool doing active OS fingerprint. I just couldn't imagine
why a fingerprinting tool would use fixed ports pair. Yes, it could
have been a lazy coder, but it made me run tcpdump to look into them,
and that's what I've found:

10:06:19.235208 213.76.114.40.18245 > 212.244.100.102.21536: SE
795438439:795438776(337) ack 794976622 win 12147 urg 28261
<[bad opt]> (DF)
  0000: 4500 017d 5d03 4000 7906 22a8 d54c 7228  [EMAIL PROTECTED]"..Lr(
  0010: d4f4 6466 4745 5420 2f69 6d67 2f62 616e  ..dfGET /img/ban
  0020: 6572 2f73 7964 6e65 7932 3030 302e 6a70  er/sydney2000.jp
  0030: 6720 4854 5450 2f31 2e31 0d0a 4163 6365  g HTTP/1.1..Acce
  0040: 7074 3a20 2a2f 2a0d 0a52 6566 6572 6572  pt: */*..Referer
  0050: 3a20                                     :

You can see a HTTP request for a JPEG image. Nice. But it starts at
offset 20, not 40 as it should (please, don't tell me about IP options
et al.). Your machine treats it as a normal packet, though, hence
`scans of 21536' are logged.

> I might accept this but the sources of the scans I see are from the US
> (I'm in the US too).  The scans so far have come from the west coast.

I was wrong. I considered it a misconfiguration of some kind of
transparent proxy. I've seen such packets `originating' only from
Polish Telecom public dialups. It's nothing strange, I run a firewall
protecting an e-commerce site targetted at Polish customers, but it
made me think of this issue as specific to PT. Again, I was wrong.

> Now if it is a misconfigured device I could believe the traffic to be
> innocent but what I get are actual slow scans across my various IP
> spaces in sequential order.  This would indicate a "scan" in my book and
> not just some odd device causing this from casual browsing (though it
> could be scans from behind a broken device, that makes it easy to "tag"
> as a signature for IDS)

Ports 18245>21536 are nothing special. But, using these ports you can
fingerprint some machines while being ignored by their admins ranting
at another braindamaged CVX(?).

> To make it even more complicated, not all scans look at port 80. Some
> don't even look at anything at all except port 21536.  Most do look for
> port 80 though after a connection is attempted to 21536.

First, HTTP service != port 80. I can easily configure most HTTP
servers to listen on an arbitrary port. Second, 18245>21536 packets
seem to be quite common, they can probably be used by some scanning or
fingerprinting tool now. Such a nice opportunity - use these ports and
your attempts will probably get ignored.

> I know a few people have seen this.  Anyone else lurking on the list
> seen this activity?  Anyone else have anything to offer on this? I am
> really interested in knowing if it is a router causing this.  If it
> isn't a router, what the heck are they looking for?

I don't know. I believe most of those packets are generated by
abovementioned device (CVX?), but someone could use them to
fingerprint your OS.
-- 
*** smarkacz ([EMAIL PROTECTED])  --  Jacek P. Szyma&nacute;ski
Kolejny program na linuxa od nowa odkrywa Ameryk&eogon; bo nie ma gotowych
rozwi&aogon;za&nacute;.
                                            -- Piotr Trzcionkowski
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.