Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Scans(?) 500->500 from China

Re: Scans(?) 500->500 from China

From: Magus Ba'al <magusbaal_at_THESLOTH.NET>
Date: Fri, 1 Sep 2000 22:10:33 -0700

Port 500 is for IKE, which is used in freeswan (www.freeswan.org). It's used
in VPN connections for freeswan. They most likely have a misconfigured
config file and it's trying to create a VPN with you, or they are seeing if
you have a misconfigured VPN. My best bet is that it's a freeswan
misconfiguration on their end.

My .02

Steve

"Help me Obi Wan Root, you're my only hope!" -Me

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
Behalf Of Ralf G. R. Bergs
Sent: Friday, September 01, 2000 9:55 AM
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: Scans(?) 500->500 from China

Hi there,

can anybody shed some light on what appears to be a scan to me?

Sep 1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53)
Sep 1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30439 F=0x0000 T=105 (#53)
Sep 1 11:13:58 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30447 F=0x0000 T=105 (#53)
Sep 1 11:14:02 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30470 F=0x0000 T=105 (#53)
Sep 1 11:14:10 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30515 F=0x0000 T=105 (#53)
Sep 1 11:14:26 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53)
Sep 1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53)

I couldn't find any meaningful info about port 500 (meaningful to me, that
is, since "isakmp" doesn't ring a bell...)

A whois query gives me the following:

$ whois 61.141.79.3

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html

inetnum: 61.140.0.0 - 61.143.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: WM12-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GD
changed: hostmaster_at_ns.chinanet.cn.net 20000601
source: APNIC

person: Chinanet Hostmaster
address: A12,Xin-Jie-Kou-Wai Street
phone: +86-10-62370437
fax-no: +86-10-62053995
country: CN
e-mail: hostmaster_at_ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster_at_ns.chinanet.cn.net 20000101
source: APNIC

person: WU MIAN
address: RO.2 ZHONGSHAN,GUANGZHOU,GUANGDONG,
address: 510080,CHINA
phone: +086-20-87619051
fax-no: +86-20-87619799
country: CN
e-mail: wumian_at_gdnmc.guangzhou.gd.cn
nic-hdl: WM12-AP
mnt-by: MAINT-CHINANET-GD
changed: wumian_at_gdnmc.guangzhou.gd.cn 19990615
source: APNIC

I guess even if it was a hostile scan, complaining to people in China
doesn't stop these things, does it?

Thanks,

Ralf 

--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^
Received on Sep 02 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos