Everything and the kitchen sink.
From: Sebastian Ip (9scki@qlink.queensu.ca)Date: 08/26/01
- Previous message: Neil Dickey: "Identification needed ..."
- Next in thread: Hugo van der Kooij: "Re: Everything and the kitchen sink."
- Reply: Hugo van der Kooij: "Re: Everything and the kitchen sink."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Sebastian Ip <9scki@qlink.queensu.ca> To: handler@incidents.org Subject: Everything and the kitchen sink. Date: Sat, 25 Aug 2001 23:07:03 -0400 Message-Id: <01082523070300.01565@home.gotak.dhs.org>
Eh yeah I have no idea why this is happening. I don't go on IRC and all i did
today was play Day of Defeat online. I didn't think i pissed anyone off cause
i haven't port scanned anyone.
But here's a short cut from my dshield report it's all from the same ip.
Aug 25 22:39:09 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22132 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22285 PROTO=TCP SPT=1080 DPT=4236 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22287 PROTO=TCP SPT=1080 DPT=4237 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22316 PROTO=TCP SPT=1080 DPT=4126 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22355 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110D ST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22382 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:14 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22501 PROTO=TCP SPT=1080 DPT=4238 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 25 22:39:15 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT=
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232
ID=22581 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0
Sorry about the "unvalid" typo and was lazy. Anyhow i have no put in the
limit match on my firewall rules. This "scan" started at port 1080 and just
moves up randomly but very aggressively as you can see. It's still going on
as we speak. From looking at my snort log it appears that the port 1080
appears randomly at some point during this mad scan.
Does anyone see the same thing happening? What worries me is that this could
be an attempt to get iptables to mess up in a way that'll let the attacker
in. Are there such bugs in iptables for 2.4.X kernels? I know about ftp and
2.4.2 but i don't use that.
Anyhow Cheers
Sebastian Ip
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Neil Dickey: "Identification needed ..."
- Next in thread: Hugo van der Kooij: "Re: Everything and the kitchen sink."
- Reply: Hugo van der Kooij: "Re: Everything and the kitchen sink."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
