Re: Strange netstat output - possible hacking attempt?

From: G1X2 (gimpwarez@hotmail.com)
Date: 01/12/02 

From: gimpwarez@hotmail.com (G1X2)
Date: 11 Jan 2002 18:40:46 -0800

Tim Haynes <usenet@stirfried.vegetable.org.uk> wrote in message news:<86r8ow3igs.fsf@potato.vegetable.org.uk>...
> Hal Burgiss <hal@burgiss.net> writes:
>
> > On Fri, 11 Jan 2002 16:31:37 GMT, g1x2 <g1x2@!!!earthlink.net> wrote:
> > >>
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1168 SYN_RECV -
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1170 SYN_RECV -
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1163 SYN_RECV -
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1173 SYN_RECV -
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1169 SYN_RECV -
> > >> tcp 0 0 200.xxx.xxx.xx:80 192.168.0.8:1171 SYN_RECV -
> > >>
> > > them down. Then you can do a rarp on that MAC address, and you might
> > > get there real IP address back; then you can turn them in for port
> > > scanning or what ever.
> >
> > Hmmm...he's running a web server, and someone is connected to it. I don't
> > think we can really call that 'port scanning' in any illegitimate sense.
> > Certainly curious there about the private IP. If it's something like
> > CodeRed, I'd check Apache logs for more info. As to spoofing, why spoof
> > on port 80 connections? The perp gets nothing back, and unless there is
> > much, much more than what is shown, its not DoS. A nice mystery, but
> > probably harmless would be my guess.
>
> The perp *may* get stuff back if your "firewall" allows forwarding back
> out, and they're sufficiently few hops away from you that the routers in-
> between don't drop 192.168-stuff.
>
> You also wouldn't expect the whole TCP sequence to be maintained - it's
> very cheap to send a single SYN packet, and see what *ICMP* comes back, let
> alone TCP, and say you've discovered a machine behind the firewall for
> further investigation. Oh, and guess how "just one SYN received" looks in
> `netstat`? ;8)
>
> That's the `illegitimate' approach. The more *likely* approach is that some
> schmuck is sending out 192.168-something packets due to a misconfiguration,
> the outgoing SYN_ACKs aren't being routed out, and you're getting crap.
>
> I've seen this myself when I used to live on an ISP with 2-hour cut-off;
> having a 10.0/24 LAN myself, with a pretty-much permanent SSH connection
> out to the colo swerver, the ISP would cut the link, outgoing packets would
> somehow make it out as 10.0/24 without being ed, and would hit the
> colo swerver to be dropped in the firewall as invalid. A most bizarre state
> of affairs, but that ISP sucked anyway ;)
>
> ~Tim

Forget the Port scanning thing I was 90-98% asleep :P still hurts
though :/

I would check the apache logs like suggested. Script/App: By setting a
"Requests per 10 seconds per host rule" and only inforcing these rules
on application pages where queries hit your database pretty hard (More
than 5 seconds) and having the option to set the amount of requests
per page every 10 seonds, this will elimate the problem. Also this
will stop those people that get fustrated and click there browser
reload button non-stop becuase they think clicking it will make the
page come up. I am guessing there will be a lot of entries thats why I
posted the Script suggestion.

Class A 10.*.*.*, Class B 172.16.*.*, Class C 192.168.0.* IP blocks
should never leave your LAN/WAN on to your providers network. Your ISP
may use 10.0/24 for NEs and maybe even the hosts. This means all host
traffic is being proxied, fowarded, NATed, or what ever. But still
there are distinct boundaries where these local network IPs live
within thier side of the NT point. If a remote host connects to your
web server and they are running a 10.* and the log files show a
connection from 10.* due to the host ident, but it is not the real IP
connecting to your server; example if they got to you from a NAT
router on another ISP. The only way this can happen accross peering
networks is to have your ISP, LXC, or IXC running VPN/MPLS/NAT
connections making it a WAN. ISPs have WANs across many peering
networks and have 10.* for all thier NEs for IN sides of the NEs.
Guess its all about configuration. To further add, to the fact that I
am a Moron.

Must buy sleep. World fading :p

I would also like to see spamming TCP connections to port 80 on this
guys web server due to a 'misconfugiration' from the mysterious host.

G1X2 "I am n00bie hear me snore!" atm
//G1X2 "Gone Times 2"