View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Probes with Spoofed IP Addresses</h2>

Wednesday, November 24, 1998<p>

The CERT Coordination Center has received several reports that
intruders are using spoofed IP addresses to conduct scans similar to
those discussed in

<dl>
<dd><a href="http://www.cert.org/advisories/CA-98.09.imapd.html">
http://www.cert.org/advisories/CA-98.09.imapd.html</a>
<dd><a href="http://www.cert.org/advisories/CA-97.09.imap_pop.html">
http://www.cert.org/advisories/CA-97.09.imap_pop.html</a>
</dd></dd></dl>
<p>

At first, these probes appeared to be ordinary IMAP scans.  After
further investigation, most of these sites determined that another
compromised host on the same network was the true origin of the IMAP
scan.  It's possible that the intruder was able to run a network
sniffer to capture the results of these probes.
<p>

If IMAP (or other) probes are reported to originate from hosts at your
site, it may not be sufficient to disconnect the apparent origin from
the network.  We encourage you to inspect other hosts on the same
local area network, especially if you continue to receive reports of
intruder activity involving your systems.
<p>

You may find our Intruder Detection Checklist to be a useful guide in
checking your systems for signs of compromise.  This document is
available from our ftp server at

<dl>
<dd><a href="http://www.cert.org/tech_tips/intruder_detection_checklist.html">http://www.cert.org/tech_tips/intruder_detection_checklist.html</a>
</dd></dl>
<p>

This document will help you to methodically check your systems for
signs of compromise and offers pointers to other resources and
suggestions on how to proceed in the event of a compromise.
<p>

Another approach to determine the true origin of spoofed probes is to
install network monitoring software which can capture the packets
actually traversing the network.  Some network monitoring software
logs may include the hardware (ethernet) address of the true origin of
the probes.  This information may enable you to determine which system
is generating the spoofed probes by comparing the hardware address
with those of other systems on the local area network.
<p>

While probes fitting this profile have thus far originated only from
port 65535, it's possible that spoofed probes could come from other
ports.
<p>

If you believe that your systems have been compromised and used to
launch probes fitting this description, we encourage you to report the
activity to the CERT/CC.  In particular, we are interested in
receiving copies of any intruder tools that have been used to generate
spoofed probes or to capture the results.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p>