Re: A few odd outbound packets
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 03/31/02
- Next message: Kasper Dupont: "Re: port 80 scans"
- Previous message: Christopher Browne: "Re: virus extensions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Sun, 31 Mar 2002 20:49:37 +0000 (UTC)
< frankB
>Every now and then I get a couple of strange outbound packets that are
>caught by IPTABLES - I only allow a few specific ports open for outbound
>and all inbound is only on established connections (machine is also behind
>a router).
I think "only allow a few specific ports open for outbound" is a very
good security policy. I wonder which version 2.4.?? of kernel are you
using. IIRC under 2.4.14 set DF flag but this packet didn't set DF.
You said "established connections" but you didn't say _related_
connections. Do you install the ftp kernel module?
>Mar 29 18:25:59 localhost kernel: IPTABLES TCP-OUT: IN= OUT=eth0
>SRC=192.168.1.250 DST=64.12.168.202 LEN=60 TOS=0x00 PREC=0x00 TTL=64
>ID=6144 PROTO=TCP SPT=33483 DPT=44483 WINDOW=5840 RES=0x00 SYN URGP=0
Minimum TCP/IP SYN packet length is 40 bytes (IP 20 bytes + TCP 20
bytes) but this case is LEN=60. This is SYN packet so TCP data
payload length is 0.
Minimum IP packet length is 20 bytes and can append options (0 to 10
Words of 32 Bits) but 99% of IP packets have no options. 'Record Route'
option may only be allowed if the transport protocol is ICMP, or not
at all. Sometimes attacker append source routing option that specify
the route a packet should take and go around firewalls.
Minimum TCP packet length is 20 bytes and can append options (0 to 10
Words of 32 Bits).
SPT=33483 DPT=44483, last 3 digits is same 483 and first 2 digits are
33 and 44. Traceroute use port 33434 to 33600 but this is not UDP
protocol.
Sometimes attacker use TOS, ID and Padding fields of IP and Reserved
and Padding fields of TCP for covert channel purpose.
Most case, other guy suggested is correct 98%. If you are security
paranoid and worry about rest 2%, how about to append log options in
iptables rules or to capture packets using tcpdump (note: old tcpdump
had vulnerability). If you will observe same type of packets, please
post here.
--log-ip-options and --log-tcp-options
/usr/sbin/tcpdump -nvv -i eth0 -s 120 dst net 64.12.168.202
>Mar 29 18:26:39 localhost kernel: IPTABLES TCP-OUT: IN= OUT=eth0
>SRC=192.168.1.250 DST=64.12.168.202 LEN=60 TOS=0x00 PREC=0x00 TTL=64
>ID=6144 PROTO=TCP SPT=33485
I wonder rest of 'SPT=' log that you sniped or not loged. Above two
packets ID is same 6144 but SPT is 33483 and 33485 (incremented 2)
40 seconds later. If fragmented packet, SPT is same usually and this
logs is not FRAG field. If second packet is SYN and SPT is different,
packets ID is different usually. I wonder you really rejected
(droped) first outbound packet or not. I'd like to know TCP flags of
second packet.
>I don't see any pattern that relates to apps I'm running. Mostly it's just
>mail, web, news. I had a couple of these packets about a week ago, but
>nothing for the last few days. I read 1 post that suggested this could be
>a rootkit. I just ran chkrootkit 0.35, and everything came up negative.
AFAIK reverse backdoor is still experimental and it's not included
rootkit and chkrootkit have not supported yet. Do you remember what
were you doing at this loged? Next time this type of outgoing packets
loged, please remember what are you doing and which background process
are running. If you will observe while you are browsing web, download
the html source code and investigate the html code. Are you enabling
Java or Java Script?
wget; lynx -dump; Or your favorite browser 'save source' menu.
<iframe src="http://ftp24c.newaol.com:44483/ ... " ... ></iframe>
<img src="http://ftp24c.newaol.com:44483/web_bug.gif" ... ></img>
-- Best Regards, RainbowHat. I support FULL DISCLOSURE. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: Kasper Dupont: "Re: port 80 scans"
- Previous message: Christopher Browne: "Re: virus extensions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
