[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Service Probe Help Meeded for mydoom probe
From: Jay Moran <jay () tp ! org>
Date: 2004-01-30 4:21:03
Message-ID: Pine.LNX.4.58.0401292306330.18679 () tp ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I had created a service probe for the mydoom mass mailing worm's backdoor
that is installed on infection on various ports (3127/tcp for example) and
am getting inconsistant results. Sometimes (no pattern that I can tell)
nmap gives this while debugging:
NSOCK (0.0480s) Callback: READ ERROR [Connection reset by peer] for EID 26
[10.4.58.183:3127]
instead of:
NSOCK (0.0490s) Callback: READ SUCCESS for EID 26 [10.4.58.183:3127] (8
bytes): .[......
It is like nmap is getting the RST packet before the the actual PSH packet
with the response data which is: \x04\x5b\0\0\0\0\0\0. The packets are
coming in order according to tcpdump, so I don't understand why sometimes
it seems to not see the response and only the RST packet. Any ideas? Think
I'm just doing something wrong and I should go investigate more?
I've attached the probe that I'm using, a debug'd output of nmap, and the
corresponding tcpdump.
Thanks,
Jay
####################### mydoom backdoor PROBE ##########################
Probe TCP mydoom q|\x0d\x0d|
ports 3127-3198
match mydoom m|\x04\x5b\0\0\0\0\0\0| v/mydoom/v012604//
[jay@erwin mydoom]$ nmap -A -sT -P0 -T4 -p3127 --version_trace -vv -d
- -d -d 10.4.58.183
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-29 22:34
EST
The max # of sockets we are using is: 0
The first host is 10, and the last one is 10
The first host is 4, and the last one is 4
The first host is 58, and the last one is 58
The first host is 183, and the last one is 183
doing 0.0.0.0 = 10.4.58.183
Host 10.4.58.183 appears to be up ... good.
Starting pos_scan (Connect() Scan)
Initiating Connect() Scan against 10.4.58.183 at 22:34
Sending initial query to port/prog 3127
Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout
800000 senddelay: 0us
portnumber 3127 (try 0) selected for WRITE
Timeout vals: srtt: -1 rttvar: -1 to: 800000 delta 14298 ==> srtt: 14298
rttvar: 14298 to: 300000
Adding open port 3127/tcp
Finished round #1. Current stats: numqueries_ideal: 30; min_width: 1;
max_width: 1020; packet_incr: 4; senddelay: 0us; fallback: 69%
The Connect() Scan took 0 seconds to scan 1 ports.
Fetchfile found ./nmap-service-probes
Initiating service scan against 1 service on 1 host at 22:34
Starting probes against new service: 10.4.58.183:3127 (tcp)
NSOCK (0.0200s) TCP connection requested to 10.4.58.183:3127 (IOD #1) EID
8
NSOCK (0.0200s) nsock_loop() started (no timeout). 1 events pending
NSOCK (0.0340s) Callback: CONNECT SUCCESS for EID 8 [10.4.58.183:3127]
NSOCK (0.0340s) Write request for 2 bytes to IOD #1 EID 19
[10.4.58.183:3127]: ..
NSOCK (0.0340s) Read request from IOD #1 [10.4.58.183:3127] (timeout:
5000ms) EID 26
NSOCK (0.0340s) Callback: WRITE SUCCESS for EID 19 [10.4.58.183:3127]
NSOCK (0.0480s) Callback: READ SUCCESS for EID 26 [10.4.58.183:3127] (8
bytes): .[......
Service scan match: 10.4.58.183:3127 is mydoom. Version:
|mydoom|v012604||
The service scan took 0 seconds to scan 1 service on 1 host.
Starting pos_scan (RPCGrind Scan)
Fetchfile found /usr/local/share/nmap/nmap-rpc
Interesting ports on 10.4.58.183:
PORT STATE SERVICE VERSION
3127/tcp open mydoom mydoom v012604
Final times for host: srtt: 14298 rttvar: 14298 to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 0.052 seconds
[jay@erwin mydoom]$ nmap -A -sT -P0 -T4 -p3127 --version_trace -vv -d
- -d -d 10.4.58.183
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-29 22:34
EST
The max # of sockets we are using is: 0
The first host is 10, and the last one is 10
The first host is 4, and the last one is 4
The first host is 58, and the last one is 58
The first host is 183, and the last one is 183
doing 0.0.0.0 = 10.4.58.183
Host 10.4.58.183 appears to be up ... good.
Starting pos_scan (Connect() Scan)
Initiating Connect() Scan against 10.4.58.183 at 22:34
Sending initial query to port/prog 3127
Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout
800000 senddelay: 0us
Ideal number of queries: 30 outstanding: 1 max 1020 ports_left 1 timeout
800000 senddelay: 0us
portnumber 3127 (try 0) selected for WRITE
Timeout vals: srtt: -1 rttvar: -1 to: 800000 delta 14245 ==> srtt: 14245
rttvar: 14245 to: 300000
Adding open port 3127/tcp
Finished round #1. Current stats: numqueries_ideal: 30; min_width: 1;
max_width: 1020; packet_incr: 4; senddelay: 0us; fallback: 69%
The Connect() Scan took 0 seconds to scan 1 ports.
Fetchfile found ./nmap-service-probes
Initiating service scan against 1 service on 1 host at 22:34
Starting probes against new service: 10.4.58.183:3127 (tcp)
NSOCK (0.0200s) TCP connection requested to 10.4.58.183:3127 (IOD #1) EID
8
NSOCK (0.0200s) nsock_loop() started (no timeout). 1 events pending
NSOCK (0.0340s) Callback: CONNECT SUCCESS for EID 8 [10.4.58.183:3127]
NSOCK (0.0340s) Write request for 2 bytes to IOD #1 EID 19
[10.4.58.183:3127]: ..
NSOCK (0.0340s) Read request from IOD #1 [10.4.58.183:3127] (timeout:
5000ms) EID 26
NSOCK (0.0340s) Callback: WRITE SUCCESS for EID 19 [10.4.58.183:3127]
NSOCK (0.0480s) Callback: READ ERROR [Connection reset by peer] for EID 26
[10.4.58.183:3127]
The service scan took 0 seconds to scan 1 service on 1 host.
Starting pos_scan (RPCGrind Scan)
Fetchfile found /usr/local/share/nmap/nmap-rpc
Fetchfile found /usr/local/share/nmap/nmap-services
Interesting ports on 10.4.58.183:
PORT STATE SERVICE VERSION
3127/tcp open unknown
Final times for host: srtt: 14245 rttvar: 14245 to: 300000
Nmap run completed -- 1 IP address (1 host up) scanned in 0.058 seconds
[jay@erwin mydoom]$
22:34:23.358697 erwin.46664 > 10.4.58.183.3127: S [tcp sum
ok] 1576839834:1576839834(0) win 5840 <mss 1460,sackOK,timestamp 443881373
0,nop,wscale 0> (DF) (ttl 64, id 48391, len 60)
0x0000 4500 003c bd07 4000 4006 4a67 0ab4 e3de E..<..@.@.Jg....
0x0010 0a04 3ab7 b648 0c37 5dfc aa9a 0000 0000 ..:..H.7].......
0x0020 a002 16d0 00c1 0000 0204 05b4 0402 080a ................
0x0030 1a75 179d 0000 0000 0103 0300 .u..........
22:34:23.372563 10.4.58.183.3127 > erwin.46664: S [tcp sum
ok] 1183553860:1183553860(0) ack 1576839835 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47188, len 64)
0x0000 4500 0040 b854 4000 7b06 1416 0a04 3ab7 E..@.T@.{.....:.
0x0010 0ab4 e3de 0c37 b648 468b 9944 5dfc aa9b .....7.HF..D]...
0x0020 b012 ffff 57bc 0000 0204 05b4 0103 0300 ....W...........
0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................
22:34:23.372598 erwin.46664 > 10.4.58.183.3127: . [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881374 0> (DF) (ttl 64, id
48392, len 52)
0x0000 4500 0034 bd08 4000 4006 4a6e 0ab4 e3de E..4..@.@.Jn....
0x0010 0a04 3ab7 b648 0c37 5dfc aa9b 468b 9945 ..:..H.7]...F..E
0x0020 8010 16d0 4fa4 0000 0101 080a 1a75 179e ....O........u..
0x0030 0000 0000 ....
22:34:23.372930 erwin.46664 > 10.4.58.183.3127: R [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881374 0> (DF) (ttl 64, id
48393, len 52)
0x0000 4500 0034 bd09 4000 4006 4a6d 0ab4 e3de E..4..@.@.Jm....
0x0010 0a04 3ab7 b648 0c37 5dfc aa9b 468b 9945 ..:..H.7]...F..E
0x0020 8014 16d0 4fa0 0000 0101 080a 1a75 179e ....O........u..
0x0030 0000 0000 ....
22:34:23.374352 erwin.46665 > 10.4.58.183.3127: S [tcp sum
ok] 1577111135:1577111135(0) win 5840 <mss 1460,sackOK,timestamp 443881375
0,nop,wscale 0> (DF) (ttl 64, id 55744, len 60)
0x0000 4500 003c d9c0 4000 4006 2dae 0ab4 e3de E..<..@.@.-.....
0x0010 0a04 3ab7 b649 0c37 5e00 ce5f 0000 0000 ..:..I.7^.._....
0x0020 a002 16d0 dcf4 0000 0204 05b4 0402 080a ................
0x0030 1a75 179f 0000 0000 0103 0300 .u..........
22:34:23.388088 10.4.58.183.3127 > erwin.46665: S [tcp sum
ok] 1183614037:1183614037(0) ack 1577111136 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47189, len 64)
0x0000 4500 0040 b855 4000 7b06 1415 0a04 3ab7 E..@.U@.{.....:.
0x0010 0ab4 e3de 0c37 b649 468c 8455 5e00 ce60 .....7.IF..U^..`
0x0020 b012 ffff 48e0 0000 0204 05b4 0103 0300 ....H...........
0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................
22:34:23.388118 erwin.46665 > 10.4.58.183.3127: . [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881376 0> (DF) (ttl 64, id
55745, len 52)
0x0000 4500 0034 d9c1 4000 4006 2db5 0ab4 e3de E..4..@.@.-.....
0x0010 0a04 3ab7 b649 0c37 5e00 ce60 468c 8456 ..:..I.7^..`F..V
0x0020 8010 16d0 40c6 0000 0101 080a 1a75 17a0 ....@........u..
0x0030 0000 0000 ....
22:34:23.388499 erwin.46665 > 10.4.58.183.3127: P [tcp sum
ok] 1:3(2) ack 1 win 5840 <nop,nop,timestamp 443881376 0> (DF) (ttl 64, id
55746, len 54)
0x0000 4500 0036 d9c2 4000 4006 2db2 0ab4 e3de E..6..@.@.-.....
0x0010 0a04 3ab7 b649 0c37 5e00 ce60 468c 8456 ..:..I.7^..`F..V
0x0020 8018 16d0 33af 0000 0101 080a 1a75 17a0 ....3........u..
0x0030 0000 0000 0d0d ......
22:34:23.402217 10.4.58.183.3127 > erwin.46665: P [tcp sum
ok] 1:9(8) ack 3 win 65533 <nop,nop,timestamp 5306543 443881376> (DF) (ttl
123, id 47190, len 60)
0x0000 4500 003c b856 4000 7b06 1418 0a04 3ab7 E..<.V@.{.....:.
0x0010 0ab4 e3de 0c37 b649 468c 8456 5e00 ce62 .....7.IF..V^..b
0x0020 8018 fffd 5a2b 0000 0101 080a 0050 f8af ....Z+.......P..
0x0030 1a75 17a0 045b 0000 0000 0000 .u...[......
22:34:23.402246 erwin.46665 > 10.4.58.183.3127: . [tcp sum
ok] 3:3(0) ack 9 win 5840 <nop,nop,timestamp 443881377 5306543> (DF) (ttl
64, id 55747, len 52)
0x0000 4500 0034 d9c3 4000 4006 2db3 0ab4 e3de E..4..@.@.-.....
0x0010 0a04 3ab7 b649 0c37 5e00 ce62 468c 845e ..:..I.7^..bF..^
0x0020 8010 16d0 47bb 0000 0101 080a 1a75 17a1 ....G........u..
0x0030 0050 f8af .P..
22:34:23.402495 10.4.58.183.3127 > erwin.com.46665: R [tcp sum
ok] 1183614046:1183614046(0) win 0 (DF) (ttl 123, id 47191, len 40)
0x0000 4500 0028 b857 4000 7b06 142b 0a04 3ab7 E..(.W@.{..+..:.
0x0010 0ab4 e3de 0c37 b649 468c 845e 5e00 ce62 .....7.IF..^^..b
0x0020 5004 0000 c2c4 0000 0000 0000 0000 P.............
22:34:23.415766 10.4.58.183.3127 > erwin.46665: R [tcp sum
ok] 1183614046:1183614046(0) win 0 (ttl 123, id 47192, len 40)
0x0000 4500 0028 b858 0000 7b06 542a 0a04 3ab7 E..(.X..{.T*..:.
0x0010 0ab4 e3de 0c37 b649 468c 845e 468c 845e .....7.IF..^F..^
0x0020 5004 0000 243d 0000 0000 0000 0000 P...$=........
22:34:27.574157 erwin.46666 > 10.4.58.183.3127: S [tcp sum
ok] 1575460118:1575460118(0) win 5840 <mss 1460,sackOK,timestamp 443881794
0,nop,wscale 0> (DF) (ttl 64, id 33876, len 60)
0x0000 4500 003c 8454 4000 4006 831a 0ab4 e3de E..<.T@.@.......
0x0010 0a04 3ab7 b64a 0c37 5de7 9d16 0000 0000 ..:..J.7].......
0x0020 a002 16d0 0cb3 0000 0204 05b4 0402 080a ................
0x0030 1a75 1942 0000 0000 0103 0300 .u.B........
22:34:27.587984 10.4.58.183.3127 > erwin.46666: S [tcp sum
ok] 1184708402:1184708402(0) ack 1575460119 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47215, len 64)
0x0000 4500 0040 b86f 4000 7b06 13fb 0a04 3ab7 E..@.o@.{.....:.
0x0010 0ab4 e3de 0c37 b64a 469d 3732 5de7 9d17 .....7.JF.72]...
0x0020 b012 ffff c753 0000 0204 05b4 0103 0300 .....S..........
0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................
22:34:27.588018 erwin.46666 > 10.4.58.183.3127: . [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881796 0> (DF) (ttl 64, id
33877, len 52)
0x0000 4500 0034 8455 4000 4006 8321 0ab4 e3de E..4.U@.@..!....
0x0010 0a04 3ab7 b64a 0c37 5de7 9d17 469d 3733 ..:..J.7]...F.73
0x0020 8010 16d0 bd95 0000 0101 080a 1a75 1944 .............u.D
0x0030 0000 0000 ....
22:34:27.588342 erwin.46666 > 10.4.58.183.3127: R [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881796 0> (DF) (ttl 64, id
33878, len 52)
0x0000 4500 0034 8456 4000 4006 8320 0ab4 e3de E..4.V@.@.......
0x0010 0a04 3ab7 b64a 0c37 5de7 9d17 469d 3733 ..:..J.7]...F.73
0x0020 8014 16d0 bd91 0000 0101 080a 1a75 1944 .............u.D
0x0030 0000 0000 ....
22:34:27.589755 erwin.46667 > 10.4.58.183.3127: S [tcp sum
ok] 1573311783:1573311783(0) win 5840 <mss 1460,sackOK,timestamp 443881796
0,nop,wscale 0> (DF) (ttl 64, id 52323, len 60)
0x0000 4500 003c cc63 4000 4006 3b0b 0ab4 e3de E..<.c@.@.;.....
0x0010 0a04 3ab7 b64b 0c37 5dc6 d527 0000 0000 ..:..K.7]..'....
0x0020 a002 16d0 d4bf 0000 0204 05b4 0402 080a ................
0x0030 1a75 1944 0000 0000 0103 0300 .u.D........
22:34:27.603548 10.4.58.183.3127 > erwin.46667: S [tcp sum
ok] 1184773866:1184773866(0) ack 1573311784 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 123, id 47217, len 64)
0x0000 4500 0040 b871 4000 7b06 13f9 0a04 3ab7 E..@.q@.{.....:.
0x0010 0ab4 e3de 0c37 b64b 469e 36ea 5dc6 d528 .....7.KF.6.]..(
0x0020 b012 ffff 8fa9 0000 0204 05b4 0103 0300 ................
0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................
22:34:27.603578 erwin.46667 > 10.4.58.183.3127: . [tcp sum
ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 443881797 0> (DF) (ttl 64, id
52324, len 52)
0x0000 4500 0034 cc64 4000 4006 3b12 0ab4 e3de E..4.d@.@.;.....
0x0010 0a04 3ab7 b64b 0c37 5dc6 d528 469e 36eb ..:..K.7]..(F.6.
0x0020 8010 16d0 85ea 0000 0101 080a 1a75 1945 .............u.E
0x0030 0000 0000 ....
22:34:27.603934 erwin.46667 > 10.4.58.183.3127: P [tcp sum
ok] 1:3(2) ack 1 win 5840 <nop,nop,timestamp 443881797 0> (DF) (ttl 64, id
52325, len 54)
0x0000 4500 0036 cc65 4000 4006 3b0f 0ab4 e3de E..6.e@.@.;.....
0x0010 0a04 3ab7 b64b 0c37 5dc6 d528 469e 36eb ..:..K.7]..(F.6.
0x0020 8018 16d0 78d3 0000 0101 080a 1a75 1945 ....x........u.E
0x0030 0000 0000 0d0d ......
22:34:27.617637 10.4.58.183.3127 > erwin.46667: P [tcp sum
ok] 1:9(8) ack 3 win 65533 <nop,nop,timestamp 5306585 443881797> (DF) (ttl
123, id 47218, len 60)
0x0000 4500 003c b872 4000 7b06 13fc 0a04 3ab7 E..<.r@.{.....:.
0x0010 0ab4 e3de 0c37 b64b 469e 36eb 5dc6 d52a .....7.KF.6.]..*
0x0020 8018 fffd 9f25 0000 0101 080a 0050 f8d9 .....%.......P..
0x0030 1a75 1945 045b 0000 0000 0000 .u.E.[......
22:34:27.617667 erwin.46667 > 10.4.58.183.3127: . [tcp sum
ok] 3:3(0) ack 9 win 5840 <nop,nop,timestamp 443881799 5306585> (DF) (ttl
64, id 52326, len 52)
0x0000 4500 0034 cc66 4000 4006 3b10 0ab4 e3de E..4.f@.@.;.....
0x0010 0a04 3ab7 b64b 0c37 5dc6 d52a 469e 36f3 ..:..K.7]..*F.6.
0x0020 8010 16d0 8cb4 0000 0101 080a 1a75 1947 .............u.G
0x0030 0050 f8d9 .P..
22:34:27.617833 10.4.58.183.3127 > erwin.46667: R [tcp sum
ok] 1184773875:1184773875(0) win 0 (DF) (ttl 123, id 47219, len 40)
0x0000 4500 0028 b873 4000 7b06 140f 0a04 3ab7 E..(.s@.{.....:.
0x0010 0ab4 e3de 0c37 b64b 469e 36f3 5dc6 d52a .....7.KF.6.]..*
0x0020 5004 0000 098e 0000 0000 0000 0000 P.............
22:34:27.631227 10.4.58.183.3127 > erwin.46667: R [tcp sum
ok] 1184773875:1184773875(0) win 0 (ttl 123, id 47220, len 40)
0x0000 4500 0028 b874 0000 7b06 540e 0a04 3ab7 E..(.t..{.T...:.
0x0010 0ab4 e3de 0c37 b64b 469e 36f3 469e 36f3 .....7.KF.6.F.6.
0x0020 5004 0000 beed 0000 0000 0000 0000 P.............
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAGdu0zbg5T540J6ARAuawAJsG7DkuOvqdpWHOWmeGi1DkFWTwbgCfTfw1
0PxyPjNdIiNG6cmnklJiTy4=
=ika/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help@insecure.org . List archive: http://seclists.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic