[Dshield] Scans on ports 49147 and 49148

Peter Feltham peter at intelligentorgs.com
Fri Mar 1 17:50:08 GMT 2002


At 12:04 01/03/2002 -0500, Clint Byrum wrote:
>Message: 5
>Subject: Re: [Dshield] Scans on ports 49147 and 49148
>From: Clint Byrum <cbyrum at erp.com>
>To: list at dshield.org
>Date: 28 Feb 2002 16:00:05 -0800
>
>On Thu, 2002-02-28 at 13:57, Stigers, David wrote:
> > I've seen this attempt on our firewall today and do not see the neo ports
> > listing for this port. If someone knows what this is I'd appreciate the
> > info.
>
>Searched my logs for the last 2 months. Nothing to those ports.
>
> >
> > 02/28/02 07:46  firewalld[105]:  deny in eth0 40 tcp 20 112 172.26.137.8
> > 66.147.xxx.xx 9009 49148 rst (blocked site)
> > 02/28/02 07:46  firewalld[105]:  deny in eth0 40 tcp 20 112 172.26.137.10
> > 66.147.xxx.xx 9009 49147 rst (blocked site)
> >
>

[snip]

>Does that 9009 mean its from port 9009? I'm not familiar with
>that log format.

Yes it does, Clint. That's the log-file format coming off a WatchGuard Firebox.

David, as you know, the FireBox will auto-deny unknown ports, - and has done
in this case, so you're safe it would appear from that IP (in Canada).

Johannes, interestingly, my own Firebox reported a hit on 19th Feb *from*
port 49148 to SMTP on my spammertrap server. That could reinforce your
muse about Nimda reincarnating via the infected machines still out there
perhaps??

Here's the FireBox log-line concerned, from an IP in Pakistan:
29176   19725098 02/19/02  21:56:40 n 
allow  in   eth0:9  48        tcp     20        52        202.163.96.5 
x.y.143.17   49148     25        syn 
(SMTP)

In this case the FireBox Log-Format has had two fields prepended by 
AgentRansack to show lineNo and Displacement, and is:
lineno displacement date time  n* allow/deny/log direction interface 
packetLength TTL Protocol IPheaderLength source destination SourcePort 
DestPort OtherDetails

* = can't remember what this is. Ahem.

Interestingly, SpamCop has the sourceIP as an "issue resolved" 
status,  meaning that they have been bad boys in the past re spam I guess. 
SpamCop reports thusly (after a long time thinking about it):

Parsing input:202.163.96.5
[report history]
ISP believes this issue is resolved 202.163.96.5
ISP believes this issue is resolved:202.163.96.5 - no date available
Tracking ip 202.163.96.5:
[show] "nslookup 202.163.96.5" (getting name) no name
Routing details for 202.163.96.5
[refresh/show] Cached whois for 202.163.96.5:eng at cyber.net.pk, 
amir at cyber.net.pk
Using last-resort contacts:amir at cyber.net.pk eng at cyber.net.pk
Whois found:amir at cyber.net.pk eng at cyber.net.pk

However.. traceroute to that IP gives a munged route hopping to and fro between
routers in above.net. Hmmm.... They're still out there, methinks!



Which reminds me. I promised to send Wayne some scripts I wrote in awk to 
transform
FireBox format to dShield format. Will get to that today, I hope - up to my 
ears in
fighting off an attack at the moment. Sigh.

Take care out there

^O^ink



-- 
Peter Feltham, CEO of Intelligent Organisations.
         http://www.intelligentorgs.com

Tel: +44 208 357 7355           Fax: +44 7050 697 405
                         Private  Fax: +44 7050 694 038
-- 
A member of Rheingold Associates
    http://www.rheingold.com/associates/index.html
Join the Brainstorms Anthrax Research team by visiting:
http://members.ud.com/services/teams/team.htm?id=21FAE341-5071-4B7B-A703-5C65022032FB
-- 




More information about the list mailing list