system check message question

[Jeffrey Wong]

Alot of the time, attackers are not really interested in getting a direct
response from a target computer.  One of the attacks that has been under
discussion recently involves a trojan program which opens a raw socket a
listens for traffic that matches a particular pattern.  Because it uses a
raw socket, it acts simillar to a promiscuous interface and isn't fully
bound to a particular port number.  This way it won't show up as an open
socket on port scans.  Once it finds a 'trigger' packet it will fully bind
to a port for x amount of time and send an 'I am rooted' message to
whereever its set for.  Since these types of attacks do not directly
contact the attacking host, spoofed IP's work fine.  I'm sure there are
other uses for spoofed ip besides this and DOS attacks.

Note:  Last I heard several of these single packet to port 31137 incidents
have been tracked back to a road runner address.  If your interesting in
keeping up with the latest in security, etc. check out
www.securityfocus.com .  They have several mailing lists for security
issues and get alot of traffic.  To much traffic actually, I find myself
just hitting delete on those messages automatically :(

Jeff Wong


On Tue, 1 May 2001, jay wrote:

> what i don't understand is where would spoofing 1.2.3.4 get you
> unless you were either using loose source routing or sniffing
> traffic on the same wire and could see an ack go out?
> that one entry doesn't look like an attempt at a DDOS.  unless
> they were using the nmap decoy option, but then you'd be seeing
> other scans on that port by different IPs...
>
> am i thinking about this too much?
> time for a nap.
>
> =jay
>
> On Mon, 30 Apr 2001, Jeffrey Wong wrote:
>
> > There have been alot of reports of people seeing the exact same thing over
> > the last two weeks.  I havn't really heard much about it besides that its
> > been seen though.  It seems to (so far) be just a passive scan with no
> > accompaning attacks, although I'd assume that if you do have Back Orifice
> > installed . . .  1.2.3.4 is just one of the more commonly spoofed IP's.
> > In fact its used as an example IP in alot of different places.  I guess
> > these new script kiddies either have no imagination, or no idea that they
> > can change it ;)
> >
> > Jeff Wong
> >
> > On Mon, 30 Apr 2001, Ben Beeson wrote:
> >
> > > Aloha all,
> > >
> > > 	The below line appeared in my /var/log/messages file and I am curious
> > > about it.  I think port 31337 is for Back Orifice, a windows attack that I
> > > should be relatively immune from.  However, that said, I am curious how the IP
> > > address 1.2.3.4 materialized.  I am not sure that this is a 'legal' address.
> > > 'dig' returns nothing.....  Has anyone else seen this???
> > >
> > > Thanks,
> > >
> > > Ben
> > >
> > >
> > > Security Violations
> > > =-=-=-=-=-=-=-=-=-=
> > > Apr 29 16:50:39 kernel: Packet log: input DENY eth0 PROTO=17 1.2.3.4:1024 24.94.83.89:31337 L=81 S=0x00 I=20326 F=0x0000 T=111 (#8)
> > >
> > > ---
> > > You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> >
> >
> > ---
> > You are currently subscribed to luau as: jay at musubi.org
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
>
>
> ---
> You are currently subscribed to luau as: jmwong at math.ed.hawaii.edu
> To unsubscribe send a blank email to $subst('Email.Unsub')
>