Scan combining internal/external

From: Stephen W. Thompson (thompson@pobox.upenn.edu)
Date: 02/26/02

Previous message: Greg Williamson: "RE: Wave of Nimda-like hits this morning?"
Next in thread: Rich Puhek: "Re: Scan combining internal/external"
Reply: Rich Puhek: "Re: Scan combining internal/external"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Stephen W. Thompson" <thompson@pobox.upenn.edu>
To: incidents@securityfocus.com
Date: Tue, 26 Feb 2002 10:34:53 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yesterday afternoon I saw apparently-coordinated scans which
absolutely confuse me. I'd appreciate hearing from anyone who has
seen anything similar or who has a likely explanation.

First, I have my main machine which has Linux with an ipchains
firewall. On the same subnet I have a linux box with a non-recent
Snort IDS configuration monitoring the subnet.

The logs below show:
1) My ipchains logs showing several of *our* machines from diverse
    subnets making from 1 to 6 connection attempts to *my* personal
    machine, the first at 15:18, then a bunch from 16:29 to 16:31:50.
    All but the first have source port tcp/6667 to various destination
    ports.
2) Snort logs revealing a scan by an external IP of many machines on
    my subnet, source and destination ports tcp/6667, lasting from
    16:31:46 to 16:31:47.

Obfuscated logs follow.

En paz,
Steve, security analyst

MY MAIN MACHINE, /var/log/messages:

Feb 25 15:18:05 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetC.num.5:1029 UP.subnetE.my.machine:2665 L=40 S=0x00 I=23024 F=0x4000 T=58 (#69)
Feb 25 16:29:23 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetB.num.4:6667 UP.subnetE.my.machine:4364 L=40 S=0x00 I=21327 F=0x4000 T=126 (#69)
Feb 25 16:29:37 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1661 F=0x4000 T=126 (#69)
Feb 25 16:29:40 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1663 F=0x4000 T=126 (#69)
Feb 25 16:29:46 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1665 F=0x4000 T=126 (#69)
Feb 25 16:29:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1670 F=0x4000 T=126 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=20537 F=0x4000 T=125 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=841 F=0x4000 T=125 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34406 F=0x4000 T=125 (#69)
Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=1353 F=0x4000 T=125 (#69)
Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21049 F=0x4000 T=125 (#69)
Feb 25 16:30:12 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34453 F=0x4000 T=125 (#69)
Feb 25 16:30:17 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=2121 F=0x4000 T=125 (#69)
Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21305 F=0x4000 T=125 (#69)
Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34548 F=0x4000 T=125 (#69)
Feb 25 16:30:22 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2078 F=0x4000 T=126 (#69)
Feb 25 16:30:29 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=6985 F=0x4000 T=125 (#69)
Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=22329 F=0x4000 T=125 (#69)
Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34737 F=0x4000 T=125 (#69)
Feb 25 16:30:53 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=16201 F=0x4000 T=125 (#69)
Feb 25 16:30:57 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=23097 F=0x4000 T=125 (#69)
Feb 25 16:30:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=35364 F=0x4000 T=125 (#69)
Feb 25 16:31:10 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2088 F=0x4000 T=126 (#69)
Feb 25 16:31:42 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=27721 F=0x4000 T=125 (#69)
Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=25913 F=0x4000 T=125 (#69)
Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=37867 F=0x4000 T=125 (#69)

SNORT IDS, /var/log/snort/portscan.log:

Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.2:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.3:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.4:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.5:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.6:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.7:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.8:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.9:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.my.IDS:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.10:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.11:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.12:6667 SYN ******S*
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.13:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.14:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.15:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.16:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.17:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.18:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.19:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.20:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.21:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.22:6667 SYN ******S*
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.23:6667 SYN ******S*

SNORT IDS, entry from /var/log/secure:

Feb 25 16:31:46 ids-box kernel: Packet log: input DENY eth0 PROTO=6 intruderIP:6667 UP.subnetE.my.IDS:6667 L=40 S=0x00 I=44823 F=0x0000 T=107

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPHuqlc3oSRS59y8HEQIXpQCfaVML7kQhcdcOvqHOuWxWsSP91X0An0rm
x4d752nlavPkbvA/cfciLrg6
=lgnB
-----END PGP SIGNATURE-----

-- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson@isc.upenn.edu URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use security@isc.upenn.edu, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Greg Williamson: "RE: Wave of Nimda-like hits this morning?"
Next in thread: Rich Puhek: "Re: Scan combining internal/external"
Reply: Rich Puhek: "Re: Scan combining internal/external"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Scan combining internal/external
... On the same subnet I have a linux box with a non-recent ... > 1) My ipchains logs showing several of *our* machines from diverse ... > my subnet, source and destination ports tcp/6667, lasting from ...
(Incidents)
How configure XP Firewall in W2000 domain and 2 subnets?
... File and Print sharing is "on" for local subnet only. ... The XP machines are very slow when the firewall is turned on! ... I made exceptions for the ports that were blocked and set a custom scope: ...
(microsoft.public.windowsxp.security_admin)
Re: Best practices for securing SSH server
... Listening on multiple ports is not synonymous with promiscuous interfaces. ... monitor your access logs daily, then I don't want to hear any argument ... Once attackers start trying random keys instead of passwords, ... Security has been, and always will be, keeping one step ahead of your ...
(freebsd-questions)
RE: [fw-wiz] Netscreen email logging
... The only idiosyncracy in the test network is that since I'm using the ... to that subnet is fine, I can send traffic both ways normally. ... either tried or failed to send email logs. ... I've also looked at the SMTP server logs and there's no indication ...
(Firewall-Wizards)
SID Issue after Upgrading to AD to W2K3?
... A user starts to get the logon prompt when opening Outlook from a computer ... This also seems to generate the following logs in the users System Event log ... Changing the SID of the machines seems to correct the problem, ... We do Ghost machines, however, we use SysPrep. ...
(microsoft.public.windows.server.general)