Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DOD Inside

from [Peter Kosinar] Network Security [Permanent Link]
Subject: Re: DOD Inside
Date: Sun, 9 Apr 2006 05:01:46 +0200 (CEST) 
Hello,

Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1033 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1033 - [DOS]
Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1034 - [DOS]
Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1027 - [DOS]
Wed, 2006-03-29 09:58:11 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1035 - [DOS]
Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,139 - [DOS]
Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 
Destination:xx.xx.xx.xx,1031 - [DOS]

Finding the true origin of these packets might be easier if you provided a little more information. For example, are these the complete logs or just a part of them? Do you have logs of the actual packet contents or just these logs of the communication endpoints? What kind of a network is that router on (e.g. is it a border-router of a company, or a home network, ...)? Does it perform some kind of NAT for an internal network or is it just a simple switch-like router? If the router is on the border of a bigger network, were these packets captured at the external or the internal interface?

Now, here are a few of my _crazy_ speculations... One remarkable fact about those packets is that the source port number is equal to 0x3434 (maybe some kind of weird application which has overwritten its own data?) in all cases and the destination port numbers were always quite near the 1024 boundary; except for one case, when it was port 139 (looks pretty much like MS Windows, doesn't it?). Couldn't it have been some kind of messenger going wild?

Based on the very low packet rate, my first guess is that somebody is doing an
'nmap idle scan' of your box (and they specified the 'stealth' mode that takes
multiple days to do the scan to fly under the wire of most rate-based IDS 
triggers).

I may be wrong, but doesn't IPID idle scan work only for TCP connections/ports?

Just my 0.02 Euro,

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bogon IPs traffic only seen by netflow, confined within a VLAN only, Stef
Next by Date:  RATs in our Honeypot, Mark Ryan del Moral Talabis
Previous by Thread:  Re: DOD Inside, Valdis . Kletnieks
Next by Thread:  Re: DOD Inside, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]