RE: [fw-wiz] Odd scan to port 36867

From: Ben Nagy (ben_at_iagu.net)
Date: 11/16/04

  • Next message: Chris Pugrud: "Re: [fw-wiz] ASP/Hosting Architecture"
    To: "'SiegeX'" <siegex@atozcomp.com>
    Date: Tue, 16 Nov 2004 10:29:01 +0100
    
    

    Could be malware activity, or someone scanning for backdoors / botnets. None
    of the current big name malware uses that port by default AFAIK, but I guess
    there could be variants.

    Personally, I'd be interested in seeing more of the logs - there might be
    patterns in the source port, IPID etc which often indicate that it's malware
    generated. You can send those through to me direct if you don't want to bore
    the list.

    The TTL is 103 - that means it's odds on that this traffic came from a
    Windows system. Default TTL is 64 on most of the unix / linux variants (it
    could be VMS, but there are too many unique sources!). If your logs show
    other packets with TTL 0<ttl<64 then it's almost certainly scanning activity
    not malware, since it's cross platform.

    rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
    seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
    German.

    SANS Dshield is dead right now, but normally I would also check there, to
    see if what you're seeing is backed up by a local / global increase. You
    could also submit it to the handlers there, they do good Sherlock Holmes
    work, if they've got time.

    If this is what it looks like (perps scanning for non-standard backdoors)
    then it would be good to investigate further. Then again it could just be
    nothing, who knows.

    Cheers,

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of SiegeX
    > Sent: Monday, November 15, 2004 3:05 AM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Odd scan to port 36867
    >
    > Hi guys, I recently decided to write a simple bash script to
    > go through all my iptables logs and see which ports were
    > being hit the most. Note that I only logged NEW connections
    > to ports that arnt open on my computer. Here are the top 10 results
    >
    > 495 36867
    [...]
    > Below is a sample from my
    > iptables logs so you can see what Im parsing.
    >
    > Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
    > MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00
    > SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
    > TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
    > SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
    >
    > Just to make sure that this port is not being hit by one or
    > two differnt guys, I parsed my logs to see how many unique
    > ip's were hitting port 36867 and I came up with 173 unique
    > IP's.
    [...]
    > Ive yet to cross reference the 173 unique IP's
    > hitting port 36867 to Maxmind's database, but I have a strong
    > feeling that they are comming from Germany. I hope you guys
    > have a better clue whats going on than I do. Thanks.
    >
    > -Sean

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chris Pugrud: "Re: [fw-wiz] ASP/Hosting Architecture"

    Relevant Pages

    • Re: [fw-wiz] Odd scan to port 36867
      ... Lots of scans coming from home dsl users out of Canada lately. ... > of the current big name malware uses that port by default AFAIK, ... If your logs show ...
      (Firewall-Wizards)
    • Re: Strange WAN Activity
      ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
      (microsoft.public.win2000.security)
    • [TOOL] WeBrute - Directory Brute Forcer
      ... Get your security news from a reliable source. ... # Scan 127.0.0.1 port 80, Use wordlist and admin as start path ... # Scan 127.0.0.1 port 80, Use wordlist, and traverse scanning and verbose ... sub catchInterrupt { ...
      (Securiteam)
    • Re: Identifying Internet Attacks
      ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
      (microsoft.public.inetserver.iis.security)
    • Re: Question about file permissions
      ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
      (alt.os.linux.suse)