RE: [fw-wiz] Odd scan to port 36867

From: Ben Nagy (ben_at_iagu.net)
Date: 11/16/04

  • Next message: Chris Pugrud: "Re: [fw-wiz] ASP/Hosting Architecture"
    To: "'SiegeX'" <siegex@atozcomp.com>
    Date: Tue, 16 Nov 2004 10:29:01 +0100
    
    

    Could be malware activity, or someone scanning for backdoors / botnets. None
    of the current big name malware uses that port by default AFAIK, but I guess
    there could be variants.

    Personally, I'd be interested in seeing more of the logs - there might be
    patterns in the source port, IPID etc which often indicate that it's malware
    generated. You can send those through to me direct if you don't want to bore
    the list.

    The TTL is 103 - that means it's odds on that this traffic came from a
    Windows system. Default TTL is 64 on most of the unix / linux variants (it
    could be VMS, but there are too many unique sources!). If your logs show
    other packets with TTL 0<ttl<64 then it's almost certainly scanning activity
    not malware, since it's cross platform.

    rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
    seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
    German.

    SANS Dshield is dead right now, but normally I would also check there, to
    see if what you're seeing is backed up by a local / global increase. You
    could also submit it to the handlers there, they do good Sherlock Holmes
    work, if they've got time.

    If this is what it looks like (perps scanning for non-standard backdoors)
    then it would be good to investigate further. Then again it could just be
    nothing, who knows.

    Cheers,

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of SiegeX
    > Sent: Monday, November 15, 2004 3:05 AM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Odd scan to port 36867
    >
    > Hi guys, I recently decided to write a simple bash script to
    > go through all my iptables logs and see which ports were
    > being hit the most. Note that I only logged NEW connections
    > to ports that arnt open on my computer. Here are the top 10 results
    >
    > 495 36867
    [...]
    > Below is a sample from my
    > iptables logs so you can see what Im parsing.
    >
    > Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
    > MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00
    > SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
    > TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
    > SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
    >
    > Just to make sure that this port is not being hit by one or
    > two differnt guys, I parsed my logs to see how many unique
    > ip's were hitting port 36867 and I came up with 173 unique
    > IP's.
    [...]
    > Ive yet to cross reference the 173 unique IP's
    > hitting port 36867 to Maxmind's database, but I have a strong
    > feeling that they are comming from Germany. I hope you guys
    > have a better clue whats going on than I do. Thanks.
    >
    > -Sean

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chris Pugrud: "Re: [fw-wiz] ASP/Hosting Architecture"