Re: Is this some type of scan

From: Frank Knobbe (frank_at_knobbe.us)
Date: 08/05/04

  • Next message: Klaus Lichtenwalder: "Re: Anyone else seeing SSH scans?"
    To: aaron@webspundesigns.com
    Date: Thu, 05 Aug 2004 11:58:08 -0500
    
    
    

    On Wed, 2004-08-04 at 09:45, Aaron Lewis wrote:
    > I don't think this is right but I don't know what to make of it. One of my
    > ACL's denies this 4 - 6 times a day an hour apart for 4 or so hours then it
    > stops until the next day.
    >
    > Aug 4 10:17:54 myhostname 3272392: Aug 4 10:17:53.949 EST:
    > %SEC-6-IPACCESSLOGP: list inboundACLname denied tcp 127.0.0.1(80)
    > (Ethernet0/1 000b.bf55.4c70) -> my.public.ip.x(1515), 1 packet
    > Aug 4 10:18:10 myhostname 3272394: Aug 4 10:18:10.621 EST:
    > %SEC-6-IPACCESSLOGP: list inboundACLname denied tcp 127.0.0.1(80)
    > (Ethernet0/1 000b.bf55.4c70) -> my.public.ip.x(1011), 1 packet

    May I pass on a message from the archives?

               From:
    Dan Hanson
    <dhanson@securityfocus.com>
                 To:
    incidents@securityfocus.com
            Subject:
    Administrivia: Are
    you seeing
    portscans from
    source 127.0.0.1
    source port 80?
               Date:
    Tue, 28 Oct 2003
    08:59:56 -0700
    (MST)

    I am posting this in the hopes of dulling the 5-6 messages I get every
    day
    that are reporting port scans to their network all of which have a
    source
    IP of 127.0.0.1 and source port 80.

    It is likely Blaster (check your favourite AV site for a writeup, I
    won't
    summarize here).

    The reason that people are seeing this has to do with some very bad
    advice
    that was given early in the blaster outbreak. The advice basically was
    that to protect the Internet from the DoS attack that was to hit
    windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
    to
    windowsupdate.com. Essentially these suggestions were suggesting that
    hosts should commit suicide to protect the Internet.

    The problem is that the DoS routine spoofs the source address, so when
    windowsupdate.com resolves to 127.0.0.1 the following happens.

    Infected host picks address as source address and sends Syn packet to
    127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
    wire,
    you will not see this part)

    TCP/IP stack receives packet, responds with reset (if there is nothing
    listening on that port), sending the reset to the host with the spoofed
    source address (this is what people are seeing and mistaking for
    portscans)

    Result: It looks like a host is port scanning ephemeral posts using
    packets with source address:port of 127.0.0.1:80

    Solution: track back the packets by MAC address to find hte infected
    machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.

    Hope that helps

    D

    
    



  • Next message: Klaus Lichtenwalder: "Re: Anyone else seeing SSH scans?"

    Relevant Pages

    • Re: Strange pings from 127.0.0.1
      ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
      (Security-Basics)
    • Re: Tons of Source port 80 to random Dest Port Traffic
      ... from the same consumer DSL equipment) that have a src port of 80 and a ... Host is not a proxy, just a firewalled webserver with only port 80 ... ACK is the first reply packet when attempting to establish a TCP ... From Q1, Q2, If the host is not a proxy server and there are SYN packets. ...
      (Security-Basics)
    • RE: Strange replies on closed port
      ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
      (Pen-Test)
    • Re: non-random IP IDs
      ... > make it somewhat harder to insert bogus fragments into a packet stream. ... For example, if you have a low volume host with one port open, you can ... You never see the response, or lack thereof, to the ...
      (FreeBSD-Security)
    • Re: UPnP Port
      ... >If you DROP all packages it doesn't tell the scanner anything, ... I guess you are saying about popular port scanner. ... is ICMP Type 3 Code 3 port unreachable packet originated your box. ... What I'm talking about is ICMP Type 3 Code 1 host unreachable (or ...
      (comp.os.linux.security)