Re: [Snort-users] Suspect activity: proxy scan attempts, SNMP access, etc

Hello all,

Is it possible no one can explain these traces????

----- Original Message -----
From: "Saken Seifullin" <demetrius13@mail.ru>
To: <snort-users@lists.sourceforge.net>
Sent: Friday, May 28, 2004 11:33 AM
Subject: [Snort-users] Suspect activity: proxy scan attempts, SNMP access, etc


> Hello all,
>
> I've noticed very suspect activity from one of our hosts of our corporate B-network. Here is the piece of a Snort log file (I changed IP of suspect host to 10.1.1.1, our IP to 10.2.2.2, and third-party IP of ISP router to 11.1.1.1). Please, could you help me to identify what was happend? Thanks a lot in advance!
>
> P.S. I tried to log on to https://10.1.1.1 using web brouser and I saw a web page with "PROTEGO Networks" logotype and invitation to log in using name and password. Seems there one of PROTEGO Networks'products is installed on that host.
>
> [**] [1:368:4] ICMP PING BSDtype [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:04.125738 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62
> 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
> Type:8 Code:0 ID:36641 Seq:0 ECHO
> [Xref => http://www.whitehats.com/info/IDS152]
>
> [**] [1:368:4] ICMP PING BSDtype [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:05.120881 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62
> 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
> Type:8 Code:0 ID:36641 Seq:256 ECHO
> [Xref => http://www.whitehats.com/info/IDS152]
>
> [**] [1:469:1] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:05.227082 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x3C
> 10.1.1.1 -> 10.2.2.2 ICMP TTL:56 TOS:0x0 ID:3913 IpLen:20 DgmLen:28
> Type:8 Code:0 ID:24939 Seq:7060 ECHO
> [Xref => http://www.whitehats.com/info/IDS162]
>
> [**] [1:615:5] SCAN SOCKS Proxy attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:09.572873 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:32928 -> 10.2.2.2:1080 TCP TTL:61 TOS:0x0 ID:2481 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xC68E68AE Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 3105055 0 NOP WS: 0
> [Xref => http://help.undernet.org/proxyscan/]
>
> [**] [1:1418:3] SNMP request tcp [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:11.269691 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:33031 -> 10.2.2.2:161 TCP TTL:61 TOS:0x0 ID:17572 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xC6C2256F Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 3105227 0 NOP WS: 0
> [Xref => http://cve.mitre.org/cgi-bin/cvename...CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename...CAN-2002-0012]
>
> [**] [1:620:6] SCAN Proxy Port 8080 attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:18.118107 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:33557 -> 10.2.2.2:8080 TCP TTL:61 TOS:0x0 ID:19425 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xC8032F94 Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 3105909 0 NOP WS: 0
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:18.525653 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34237 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6668 -> 10.1.1.1:33570 TCP TTL:126 TOS:0x0 ID:1583 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x103A666
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:19.087067 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34330 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6668 -> 10.1.1.1:33612 TCP TTL:126 TOS:0x0 ID:1624 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x402A766
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:19.787549 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34453 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6668 -> 10.1.1.1:33654 TCP TTL:126 TOS:0x0 ID:1667 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x402A766
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:21.176282 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34734 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6667 -> 10.1.1.1:33789 TCP TTL:126 TOS:0x0 ID:1800 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x4838A966
> ** END OF DUMP
>
> [**] [1:618:5] SCAN Squid Proxy attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:21.527533 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:33879 -> 10.2.2.2:3128 TCP TTL:61 TOS:0x0 ID:41907 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xC7A6C676 Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 3106245 0 NOP WS: 0
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:21.819154 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34935 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:33892 TCP TTL:126 TOS:0x0 ID:1902 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x103AA66
> ** END OF DUMP
>
> [**] [1:1420:3] SNMP trap tcp [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:22.162782 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:33943 -> 10.2.2.2:162 TCP TTL:61 TOS:0x0 ID:26627 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0xC7BA0E01 Ack: 0x0 Win: 0x16D0 TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 3106306 0 NOP WS: 0
> [Xref => http://cve.mitre.org/cgi-bin/cvename...CAN-2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename...CAN-2002-0012]
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:22.598958 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35094 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:33971 TCP TTL:126 TOS:0x0 ID:1980 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x103AA66
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:23.103595 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35172 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:34005 TCP TTL:126 TOS:0x0 ID:2014 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x402080A
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:23.777658 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35193 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:34006 TCP TTL:126 TOS:0x0 ID:2015 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x4600
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:24.415184 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35214 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:34009 TCP TTL:126 TOS:0x0 ID:2016 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x103AC66
> ** END OF DUMP
>
> [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]
> 05/27-10:55:25.038100 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46
> 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35221 IpLen:20 DgmLen:56
> Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 10.2.2.2:6666 -> 10.1.1.1:34012 TCP TTL:126 TOS:0x0 ID:2017 IpLen:20 DgmLen:40
> Seq: 0x0 Ack: 0x402080A
> ** END OF DUMP
>
> [**] [1:628:3] SCAN nmap TCP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:25.470114 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:44347 -> 10.2.2.2:1 TCP TTL:46 TOS:0x0 ID:62358 IpLen:20 DgmLen:60
> ***A**** Seq: 0x2D50C05C Ack: 0x0 Win: 0x800 TcpLen: 40
> TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
> [Xref => http://www.whitehats.com/info/IDS28]
>
> [**] [1:1228:3] SCAN nmap XMAS [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 05/27-10:55:25.473381 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A
> 10.1.1.1:44348 -> 10.2.2.2:1 TCP TTL:41 TOS:0x0 ID:26303 IpLen:20 DgmLen:60
> **U*P**F Seq: 0x2D50C05C Ack: 0x0 Win: 0x400 TcpLen: 40 UrgPtr: 0x0
> TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
> [Xref => http://www.whitehats.com/info/IDS30]
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users