[PLUG] tracking down a portscanner

dwight@dwightandamy.com dwight.hubbard at mac.com
Tue Jun 20 23:01:21 UTC 2006 

They could be attempting to bounce packets of your machine to probe a remote host.  However, all the  blocked packets are outound with SYN/ACK set.  It's possible that 203.206.95.1 is an invalid host and someone was trying a SYN attack.
 
On Tuesday, June 20, 2006, at 07:53AM, Kurt Sussman <plug at merlot.com> wrote:

>Dwight Hubbard (dwight at dwightandamy.com) typed this ...
>> So the source IP is the server and there where probes to all the ports you 
>> mentioned.  
>> 
>> Some questions I can think of:
>> 
>> Is there anything in the logs to indicate the source port.
>
>Here's a typical iptables log entry:
>
>  Jun 20 07:15:38 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=64 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>Yes, the source port is logged, 80 in the line above.
>
>> How many interfaces are there on the host?
>
>18, including the loopback, 2 physical.
>
>> Which interfaces did iptables block?
>
>The physical interface that handles all outgoing traffic; the other
>interface is part of a back net.
>
>> It might be helpful to actually see some of the log entries.
>
>  Jun 20 07:18:27 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=224 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>  Jun 20 07:18:35 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=128 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>  Jun 20 07:18:50 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=51 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>  Jun 20 07:18:58 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=152 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>  Jun 20 07:19:05 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=152 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>  Jun 20 07:19:13 host20 kernel: ** OUT_TCP DROP ** IN= OUT=eth0
>  SRC=206.180.226.20 DST=203.206.95.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64
>  ID=0 DF PROTO=TCP SPT=80 DPT=40 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
>OK? I'm starting to think that these are intentionally misformed packets
>from the outside, refleected off the server to some 'target' host. 
>
>Anything backed by actual experience will be more useful than my raw
>opinion.
>
>Thanks!
>
>--Kurt
>
>> On Monday 19 June 2006 22:38, Kurt Sussman wrote:
>> > A friend of mine is running a web hosting system, and lately logwatch
>> > has show him what appears to be a portscan that was blocked by iptables.
>> > This is great, except that the portscan was initiated by his server.
>> >
>> > Logwatch says that from his main IP, it saw these attempts:
>> >
>> > 5588 packets to
>> > tcp(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,23,24,26,27,28,29,30
>> > ,31,32,33,34,35,36,38,39,40,41,42,44,45,46,47,48,49,50,51,52,54,55,56,57
>> > ,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,81,82
>> > ,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,
>> > 105,106,107,108,109,112,114,115,116,117,118,119,120,121,122,123,124,125,
>> > 126,127,128,129,130,131,132,133,134,140,141,142,143,144,145,146,147,148,
>> > 149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,
>> > 167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,
>> > 185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,
>> > 203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,
>> > 221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,
>> > 239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,324,
>> > 328,329,468,526,563,576,601,603,644,651,677,693,700,702,715,728,798,818,
>> > 822,824,830,!
>> > 831,871,876,877,878,879,880,932,933,935,936,940,974,976,977,981,983,2268
>> > ,2452,2577,2587,2588,2627)
>> >
>> > Any ideas on how I can find out which user is doing this? Users don't
>> > have shell access, but can upload scripts to their web sites. The logs
>> > show these attempts to connect to various ports throughout the day. They
>> > are non-sequential. I have grepped the logs for obvious patterns (e.g.
>> > apache logs for URLs with port= parameters), but have found nothing so
>> > far.
>> >
>> > I've considered trying to match up the datestamps of the iptables hits
>> > against apache logs, but haven't gotten to that yet.
>> >
>> > Any tips?
>> >
>> > Thanks!
>> >
>> > --Kurt
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>
>-- 
>----------------------------------------------------------------------
>    Merlot Research Group, Inc               http://www.merlot.com
>    kls[at]merlot.com       GPG key 82505A74      Jabber: MerlotQA
>
>

More information about the PLUG mailing list