RE: help with log entries

From: David Gillett (gillettdavid@fhda.edu)
Date: 02/27/03

  • Next message: secureot: "Hardware/Software security tool needed,"
    From: "David Gillett" <gillettdavid@fhda.edu>
    To: <security-basics@securityfocus.com>
    Date: Thu, 27 Feb 2003 11:25:44 -0800
    
    

      Two clues:

    1. Port 110 is used by the POP3 email protocol.

    2. A normal shutdown of a TCP connection is for one side to send a
    packet with the FIN flag set, which the other side acknowledges, then
    the other side sends a FIN which the first side acknowledges. RST is
    generally sent as a signal that the sending side is giving up the
    connection, often because of a timeout. This may mean that a FIN was
    sent but not received, or received but ignored.

      The PIX is a "stateful inspection" firewall, which means that it checks
    that incoming packets are part of an established connection. The "(no
    connection)" indicates that this check has failed for the packet.
      So what I expect you're seeing is that an internal client has been
    downloading mail from -- or port-scanning looking for a POP3 exploit --
    161.58.238.151 and 200.24.76.3 and 200.24.76.8, and has abandoned the
    connections (perhaps the exploit failed or their password was wrong).
      For some reason, the PIX has seen them drop the connection, or (more
    likely) has timed it out. Finally the server has timed it out, and it's
    the server "hanging up the phone" that the PIX is seeing and logging.

      The packets from 66.35.250.206 are something else. I've seen a client
    use RST to hang up on a server, but never three times as seen here.

    David Gillett

    > -----Original Message-----
    > From: aduenas@skytel.com.co [mailto:aduenas@skytel.com.co]
    > Sent: February 26, 2003 12:53
    > To: security-basics@securityfocus.com
    > Subject: help with log entries
    >
    >
    > Hi,
    >
    > I am getting some confusing log entries from my Cisco Pix firewall. At
    > first I thought that it was a network problem but I don't
    > have any other
    > evidence to support that assumption.
    >
    > The log entries look like this. Destination IP addresses changed....
    >
    > Feb 26 15:32:49 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3782 flags RST ACK on interface outside
    > Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3783 flags RST PSH ACK on interface
    > outside
    > Feb 26 15:32:50 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 200.24.76.3/110 to a.b.c.d/3796 flags RST ACK on interface outside
    > Feb 26 15:32:51 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 200.24.76.8/110 to a.b.c.d/3768 flags RST ACK on interface outside
    > Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 66.35.250.206/59231 to 10.10.10.4/25 flags RST on interface outside
    > Feb 26 15:33:02 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 66.35.250.206/59231 to 10.10.10.4/25 flags RST on interface outside
    > Feb 26 15:33:04 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 66.35.250.206/59231 to 10.10.10.4/25 flags RST PSH ACK on interface
    > inside
    > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3843 flags RST ACK on interface outside
    > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3845 flags RST ACK on interface outside
    > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3847 flags RST ACK on interface outside
    > Feb 26 15:33:46 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 161.58.238.151/110 to a.b.c.d/3846 flags RST ACK on interface outside
    > Feb 26 15:33:48 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 200.24.76.8/110 to a.b.c.d/3830 flags RST ACK on interface outside
    > Feb 26 15:33:51 firewall %PIX-6-106015: Deny TCP (no connection) from
    > 200.24.76.3/110 to a.b.c.d/3860 flags RST ACK on interface outside
    >
    > If anyone has any clues or suggestions I would be most grateful!
    >
    >