Everything and the kitchen sink.

From: Sebastian Ip (9scki@qlink.queensu.ca)
Date: 08/26/01


From: Sebastian Ip <9scki@qlink.queensu.ca>
To: handler@incidents.org
Subject: Everything and the kitchen sink.
Date: Sat, 25 Aug 2001 23:07:03 -0400
Message-Id: <01082523070300.01565@home.gotak.dhs.org>

Eh yeah I have no idea why this is happening. I don't go on IRC and all i did
today was play Day of Defeat online. I didn't think i pissed anyone off cause
i haven't port scanned anyone.

But here's a short cut from my dshield report it's all from the same ip.

Aug 25 22:39:09 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22132 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22285 PROTO=TCP SPT=1080 DPT=4236 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22287 PROTO=TCP SPT=1080 DPT=4237 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22316 PROTO=TCP SPT=1080 DPT=4126 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22355 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110D ST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22382 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:14 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22501 PROTO=TCP SPT=1080 DPT=4238 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:15 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22581 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0

Sorry about the "unvalid" typo and was lazy. Anyhow i have no put in the
limit match on my firewall rules. This "scan" started at port 1080 and just
moves up randomly but very aggressively as you can see. It's still going on
as we speak. From looking at my snort log it appears that the port 1080
appears randomly at some point during this mad scan.

Does anyone see the same thing happening? What worries me is that this could
be an attempt to get iptables to mess up in a way that'll let the attacker
in. Are there such bugs in iptables for 2.4.X kernels? I know about ftp and
2.4.2 but i don't use that.

Anyhow Cheers

Sebastian Ip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: redhat-list Digest, Vol 4, Issue 38
    ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
    (RedHat)
  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: Linux IPTables tutorial pdfs and plain text available.
    ... What you are referring to here are CHAINS. ... create as a user-defined chain in my iptables scripts to reject traffic ... need to allow port 20/tcp only if you're using active FTP. ... This is actually not a bash script, ...
    (comp.security.firewalls)
  • Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails
    ... Here is the output of the 'iptables status' ... try telnetting to port 25 from off-host again. ... If you get the sendmail herald, ... until you get a "Connection refused" response. ...
    (RedHat)