Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

VMware Security Advisory Released: VMSA-2019-0001

Know What You Are Logging

Published: 2019-02-18
Last Updated: 2019-02-18 07:44:06 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I helped out someone who was seeing entries in his log file he could not make sense of.

He has an Arduino, running a custom program listening on a TCP port. His router is configured with port forwarding: the Arduino accepts TCP connections from the Internet. It expects HTTP queries, and will also log all non-HTTP requests.

It's in this log that single-byte entries started to appear: just byte 0x03 would be logged, nothing more.

My explanation is the following: on the Internet, you have RDP-scanners accessing random ports looking for open RDP servers. The Remote Desktop protocol relies on the TPKT protocol. The header of the TPKT protocol starts with a single-byte version number, that is equal to 3. Followed by another byte, a reserved field that is 0. Then there is a length field, followed by encapsulated protocol data.

Because the custom program, written in the Arduino language (derived from C), writes entries to the log with the print function, the TCP payload is being truncated at byte 0. For each RDP scan, only the TPKT version number would be logged (byte value 3), because byte value 0 is the string terminator.

This logger was truncating the TCP payload data: only data up to the first NULL byte (0x00) would be logged.

Having truncated logs in itself is not an issue. It could help prevent storage overflows, for example. But you have to be aware exactly what is being logged and how. Because if you don't, you might interpret mundane data as an exceptional case.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: log scan tcp
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: Finding Property Values in Office Documents
Feb 17th 2019
21 hours ago by DidierStevens (0 comments)

Finding Property Values in Office Documents
Feb 16th 2019
1 day ago by DidierStevens (0 comments)

Old H-Worm Delivered Through GitHub
Feb 15th 2019
3 days ago by Xme (0 comments)

Suspicious PDF Connecting to a Remote SMB Share
Feb 14th 2019
4 days ago by Xme (3 comments)

Fake Updates campaign still active in 2019
Feb 13th 2019
5 days ago by Brad (0 comments)

Microsoft February 2019 Patch Tuesday
Feb 12th 2019
5 days ago by Renato (1 comment)

Have You Seen an Email Virus Recently?
Feb 11th 2019
6 days ago by DidierStevens (9 comments)

View All Diaries →

Latest Discussions

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
1 week ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
1 week ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
3 weeks ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
1 month ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)