[Dshield] Weird portscan? (linux fw)

Ondrej Palkovsky xpalo03 at vse.cz
Thu May 9 08:54:04 GMT 2002


Hi all,
I have configured a Linux firewall and added a small script, that scans
fw logs and adds all abusers to blocklist. When access to some port is
found, the attacker is added to the block list and all traffic is
blocked. I have found interesting log lines from one such attacker. 
It seems to me that the attacker did:
 - finger
 - some port scan on high UDP ports (it is possible he did it on more,
because it takes a while before the attacker gets on the blocklist)
 - some pings
 - I do not understand the last line. I'm running masquerading on the
machine, some DNATS to internal network and this seems to me like if the
attacker was able to bypass the masquerade (the OUT= port is the port to
local network). I have just added the 'unclean' rule to iptables to log
similar things, but anyway - did anyone meet such a behaviour?

Ondrej

May  6 08:53:59 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=62782 DF PROTO=TCP SPT=53425 DPT=79 WINDOW=32768 RES=0x00 SYN URGP=0 
May  6 08:54:01 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=63099 DF PROTO=TCP SPT=53425 DPT=79 WINDOW=32768 RES=0x00 SYN URGP=0 
May  6 08:54:05 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=63576 DF PROTO=TCP SPT=53425 DPT=79 WINDOW=32768 RES=0x00 SYN URGP=0 
May  6 08:54:13 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=65184 DF PROTO=TCP SPT=53425 DPT=79 WINDOW=32768 RES=0x00 SYN URGP=0 
May  6 08:56:48 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=84 TOS=0x00 PREC=0x00 TTL=232 ID=27590 PROTO=ICMP TYPE=8 CODE=0 ID=55569 SEQ=0 
May  6 08:56:49 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=84 TOS=0x00 PREC=0x00 TTL=232 ID=27639 PROTO=ICMP TYPE=8 CODE=0 ID=55569 SEQ=256 
May  6 08:56:50 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=84 TOS=0x00 PREC=0x00 TTL=232 ID=27822 PROTO=ICMP TYPE=8 CODE=0 ID=55569 SEQ=512 
May  6 08:56:51 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=84 TOS=0x00 PREC=0x00 TTL=232 ID=27886 PROTO=ICMP TYPE=8 CODE=0 ID=55569 SEQ=768 
May  6 08:56:52 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=84 TOS=0x00 PREC=0x00 TTL=232 ID=27963 PROTO=ICMP TYPE=8 CODE=0 ID=55569 SEQ=1024 
May  6 08:58:20 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=38232 PROTO=UDP SPT=38162 DPT=33570 LEN=20 
May  6 08:58:25 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=38233 PROTO=UDP SPT=38162 DPT=33571 LEN=20 
May  6 08:58:30 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=38234 PROTO=UDP SPT=38162 DPT=33572 LEN=20 
May  6 08:58:35 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=2 ID=38235 PROTO=UDP SPT=38162 DPT=33573 LEN=20 
May  6 08:58:40 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=2 ID=38236 PROTO=UDP SPT=38162 DPT=33574 LEN=20 
May  6 08:58:45 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=2 ID=38237 PROTO=UDP SPT=38162 DPT=33575 LEN=20 
....lines skipped 
May  6 09:04:49 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=38310 PROTO=UDP SPT=38162 DPT=33648 LEN=20 
May  6 09:04:54 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=38311 PROTO=UDP SPT=38162 DPT=33649 LEN=20 
May  6 09:04:59 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=38312 PROTO=UDP SPT=38162 DPT=33650 LEN=20 
May  7 10:58:35 linux kernel: IN=eth1 OUT=eth0 SRC=210.61.245.10 DST=192.168.0.211 LEN=84 TOS=0x00 PREC=0x00 TTL=231 ID=53476 DF PROTO=ICMP TYPE=0 CODE=0 ID=29306 SEQ=0 





More information about the list mailing list