[PLUG] tracking down a portscanner

Kurt Sussman plug at merlot.com
Tue Jun 20 14:59:45 UTC 2006


Dwight Hubbard (dwight at dwightandamy.com) typed this ...
> So the source IP is the server and there where probes to all the ports you 
> mentioned.  
> 
> Some questions I can think of:
> 
> Is there anything in the logs to indicate the source port.

Here's a typical iptables log entry:

  Jun 20 07:15:38 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=64 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Yes, the source port is logged, 80 in the line above.

> How many interfaces are there on the host?

18, including the loopback, 2 physical.

> Which interfaces did iptables block?

The physical interface that handles all outgoing traffic; the other
interface is part of a back net.

> It might be helpful to actually see some of the log entries.

  Jun 20 07:18:27 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=224 WINDOW=5840 RES=0x00 ACK SYN URGP=0

  Jun 20 07:18:35 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=128 WINDOW=5840 RES=0x00 ACK SYN URGP=0

  Jun 20 07:18:50 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=51 WINDOW=5840 RES=0x00 ACK SYN URGP=0

  Jun 20 07:18:58 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=152 WINDOW=5840 RES=0x00 ACK SYN URGP=0

  Jun 20 07:19:05 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=152 WINDOW=5840 RES=0x00 ACK SYN URGP=0

  Jun 20 07:19:13 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
  ID=0 DF PROTO=TCP SPT=80 DPT=40 WINDOW=5840 RES=0x00 ACK SYN URGP=0

OK? I'm starting to think that these are intentionally misformed packets
from the outside, refleected off the server to some 'target' host. 

Anything backed by actual experience will be more useful than my raw
opinion.

Thanks!

--Kurt

> On Monday 19 June 2006 22:38, Kurt Sussman wrote:
> > A friend of mine is running a web hosting system, and lately logwatch
> > has show him what appears to be a portscan that was blocked by iptables.
> > This is great, except that the portscan was initiated by his server.
> >
> > Logwatch says that from his main IP, it saw these attempts:
> >
> > 5588 packets to
> > tcp(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,23,24,26,27,28,29,30
> > ,31,32,33,34,35,36,38,39,40,41,42,44,45,46,47,48,49,50,51,52,54,55,56,57
> > ,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,81,82
> > ,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,
> > 105,106,107,108,109,112,114,115,116,117,118,119,120,121,122,123,124,125,
> > 126,127,128,129,130,131,132,133,134,140,141,142,143,144,145,146,147,148,
> > 149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,
> > 167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,
> > 185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,
> > 203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,
> > 221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,
> > 239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,324,
> > 328,329,468,526,563,576,601,603,644,651,677,693,700,702,715,728,798,818,
> > 822,824,830,!
> > 831,871,876,877,878,879,880,932,933,935,936,940,974,976,977,981,983,2268
> > ,2452,2577,2587,2588,2627)
> >
> > Any ideas on how I can find out which user is doing this? Users don't
> > have shell access, but can upload scripts to their web sites. The logs
> > show these attempts to connect to various ports throughout the day. They
> > are non-sequential. I have grepped the logs for obvious patterns (e.g.
> > apache logs for URLs with port= parameters), but have found nothing so
> > far.
> >
> > I've considered trying to match up the datestamps of the iptables hits
> > against apache logs, but haven't gotten to that yet.
> >
> > Any tips?
> >
> > Thanks!
> >
> > --Kurt
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

-- 
----------------------------------------------------------------------
    Merlot Research Group, Inc               http://www.merlot.com
    kls[at]merlot.com       GPG key 82505A74      Jabber: MerlotQA



More information about the PLUG mailing list