Re: Attack?: strange packets with 0.0.0.0 source and various destination IPs and ports
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 04/10/02
- Next message: TheMartian: "Re: encrypted files"
- Previous message: Tim Haynes: "Re: Security Report - Cracks in Firewalls"
- In reply to: martinius: "Attack?: strange packets with 0.0.0.0 source and various destination IPs and ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Wed, 10 Apr 2002 08:34:10 +0000 (UTC)
< martinius
>A couple of weeks ago my machine was hacked via an rpc.statd exploit and
>a root kit was dropped in. Since then I've re-formatted the relevant
>filesystems an reinstalled from known good sources and really tightened
>up my firewall rules and have been monitoring the firewall logs.
Good. Have you changed all password? Paharps the intruder have known
your password already. I guess eth1 is your external interface. Right?
If eth1 is internal interface, the following my works are all incorrect
and should ignore it. If so, only strange things are source IP 0.0.0.0
or your local Windoze box, maybe your misconfiguration. Please post
your local network topology and firewall configurations. Firewall
configuration is not my specialty so someone else will help you.
>Today I came across the following and I don't quite understand whether
>I've misconfigured something or whether this is an attempt at an exploit.
>
>Apr 9 21:05:49 cr237542-a kernel: Packet log: input DENY eth1 PROTO=17
>0.0.0.0:1033 24.153.22.195:53 L=64 S=0x00 I=7401 F=0x0000 T=128 (#29)
>Apr 9 21:05:49 cr237542-a kernel: Packet log: input DENY eth1 PROTO=17
>0.0.0.0:4343 24.153.22.67:53 L=86 S=0x00 I=55789 F=0x0000 T=128 (#29)
>Apr 9 21:05:50 cr237542-a kernel: Packet log: input DENY eth1 PROTO=17
>0.0.0.0:1035 24.153.22.67:53 L=64 S=0x00 I=7402 F=0x0000 T=128 (#29)
>Apr 9 21:05:50 cr237542-a kernel: Packet log: input DENY eth1 PROTO=17
>0.0.0.0:1035 24.153.22.195:53 L=64 S=0x00 I=7403 F=0x0000 T=128 (#29)
>Apr 9 21:05:51 cr237542-a kernel: Packet log: input DENY eth1 PROTO=17
>0.0.0.0:4343 24.153.22.67:53 L=86 S=0x00 I=56045 F=0x0000 T=128 (#29)
UDP packets to port 53 domain (dns, named). Packets length are 64 and 86
bytes. DF flag is not set. Destination address are 24.153.22.195 and
24.153.22.67. Are 24.153.22.195 and 24.153.22.67 your ISPs dns server?
SPT=1033 L=64 I=7401 1ce9
SPT=1035 L=64 I=7402 +1 1cea
SPT=1035 L=64 I=7403 +1 1ceb
SPT=4343 L=86 I=55789 d9ed edd9 60889
SPT=4343 L=86 I=56045 +256 daed edda 60890 +1
Looks this packets are originated two boxes (distributed scan|attack).
One is little endian and the other is big endian (perhaps PowerPC or
other) and monotonically increasing. Or from one single box with multi
threaded very sophisticated craft tool.
>Apr 9 21:32:49 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1549 207.68.176.250:80 L=64 S=0x00 I=5822 F=0x4000 T=128 SYN (#31)
>Apr 9 21:33:25 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1553 207.68.176.250:80 L=64 S=0x00 I=5856 F=0x4000 T=128 SYN (#31)
>Apr 9 21:34:11 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1555 207.68.176.250:80 L=64 S=0x00 I=5878 F=0x4000 T=128 SYN (#31)
>Apr 9 21:34:14 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1555 207.68.176.250:80 L=64 S=0x00 I=5879 F=0x4000 T=128 SYN (#31)
>Apr 9 21:34:20 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1555 207.68.176.250:80 L=64 S=0x00 I=5880 F=0x4000 T=128 SYN (#31)
TCP SYN packets to port 80 http. Length is 64 bytes. DF flag is set.
Destination address is 207.68.176.250. Is 207.68.176.250 your
favorite web site?
207.68.176.250 MSN (NETBLK-MSN-BLK)
SPT=1549 I=5822 16be
SPT=1553 I=5856 +34 16e0
SPT=1555 I=5878 +22 16f6
SPT=1555 I=5879 +1 16f7
SPT=1555 I=5880 +1 16f8
Looks this packets are originated one single little endian box and
monotonically increasing.
>Apr 9 21:53:22 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:4315 66.185.95.101:110 L=48 S=0x00 I=18810 F=0x4000 T=128 SYN (#31)
>Apr 9 21:53:28 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:4315 66.185.95.101:110 L=48 S=0x00 I=18811 F=0x4000 T=128 SYN (#31)
TCP SYN packets to port 110 pop3. Length is 48 bytes. DF flag is set.
Destination address is 66.185.95.101. Is 66.185.95.101 your ISPs pop3
server?
SPT=4315 L=48 I=18810 497a
SPT=4315 L=48 I=18811 +1 497b
Looks this packets are originated one single little endian box and
monotonically increasing.
>Apr 9 21:53:33 cr237542-a kernel: Packet log: input DENY eth1 PROTO=6
>0.0.0.0:1452 128.242.237.107:80 L=44 S=0x00 I=35619 F=0x4000 T=128 SYN (#31)
TCP SYN packets to port 80 http. Length is 44 bytes. DF flag is set.
Destination address is 128.242.237.107. Is 128.242.237.107 your
favorite web site?
SPT=1452 L=44 I=35619 8b23
>etc etc. the above is only a sample. I have tens, if not hundreds, of
>entries from that time period.
Source IP is all 0.0.0.0 historical broadcast address. TTL is all 128.
Sometimes prober use source IP address of 0.0.0.0 and port 0 for OS
fingerprinting. If your real IP address is 24.114.40.84, all
destination IP address is strange 24.153.22.195, 24.153.22.67,
207.68.176.250, 66.185.95.101, 128.242.237.107. Perhaps your ISPs
misconfiguration or sloppy configuration. You should mail to your ISP.
Or perhaps attacker sit on your upper stream compromised boxes.
>These things could be completely unrelated but I'm not sure of that.
>Any ideas whether this is an attack and if so, what the attempted
>exploit is?
I guess scan 90%, exploit 10%. Once attacker owned your box, they have
known your IP. Attacker wish to re-compromise your box and they search
your box security holes. If attacker will find security hole, they
will use exploit. You should plug all holes. Wish your box is safe.
-- Regards, RainbowHat. To spoof or not to spoof, that is the packet. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: TheMartian: "Re: encrypted files"
- Previous message: Tim Haynes: "Re: Security Report - Cracks in Firewalls"
- In reply to: martinius: "Attack?: strange packets with 0.0.0.0 source and various destination IPs and ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
