Security Incidents: Re: Scans(?) 500->500 from China

[azimuth <lozah () IO COM>]

Howdy Ralf,

Isakmp is a standard that outlines how two peers can establish and
conduct secure communications over an insecure transport.

http://www.ietf.org/rfc/rfc2408.txt

It's used in IPSec & VPNs, and probably elsewhere.  I have no idea why
someone would be banging away at a single IP (I assume the log entries
reflect traffic directed to one host), unless they were trying to
connect to their VPN and got confused about their server IP.

There's a recent vulnerability for Rapidstream VPN boxes:

http://www.securityfocus.com/vdb/bottom.html?vid=1574

If someones scanning an IP range, perhaps they're trying to identify a
vulnerable box.  Seems like alot of work considering the number of boxen
out there vulnerable to BIND/statd/FTP exploits.

I haven't fully developed my paranoia yet, I think someone in China may
just be confused or making typos.  You might ask Greg Woods where he was
this morning!  ;-)

az


"Ralf G. R. Bergs" wrote:
> Hi there,
>
> can anybody shed some light on what appears to be a scan to me?
>
> Sep  1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53)
> Sep  1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30439 F=0x0000 T=105 (#53)
> Sep  1 11:13:58 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30447 F=0x0000 T=105 (#53)
> Sep  1 11:14:02 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30470 F=0x0000 T=105 (#53)
> Sep  1 11:14:10 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30515 F=0x0000 T=105 (#53)
> Sep  1 11:14:26 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53)
> Sep  1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17
> 61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53)
>
> I couldn't find any meaningful info about port 500 (meaningful to me, that
> is, since "isakmp" doesn't ring a bell...)
>
> A whois query gives me the following:
>
> $ whois 61.141.79.3
>
> % Rights restricted by copyright. See
> http://www.apnic.net/db/dbcopyright.html
>
> inetnum:     61.140.0.0 - 61.143.255.255
> netname:     CHINANET-GD
> descr:       CHINANET Guangdong province network
> descr:       Data Communication Division
> descr:       China Telecom
> country:     CN
> admin-c:     CH93-AP
> tech-c:      WM12-AP
> mnt-by:      MAINT-CHINANET
> mnt-lower:   MAINT-CHINANET-GD
> changed:     hostmaster () ns chinanet cn net 20000601
> source:      APNIC
>
> person:      Chinanet Hostmaster
> address:     A12,Xin-Jie-Kou-Wai Street
> phone:       +86-10-62370437
> fax-no:      +86-10-62053995
> country:     CN
> e-mail:      hostmaster () ns chinanet cn net
> nic-hdl:     CH93-AP
> mnt-by:      MAINT-CHINANET
> changed:     hostmaster () ns chinanet cn net 20000101
> source:      APNIC
>
> person:      WU MIAN
> address:     RO.2 ZHONGSHAN,GUANGZHOU,GUANGDONG,
> address:     510080,CHINA
> phone:       +086-20-87619051
> fax-no:      +86-20-87619799
> country:     CN
> e-mail:      wumian () gdnmc guangzhou gd cn
> nic-hdl:     WM12-AP
> mnt-by:      MAINT-CHINANET-GD
> changed:     wumian () gdnmc guangzhou gd cn 19990615
> source:      APNIC
>
> I guess even if it was a hostile scan, complaining to people in China
> doesn't stop these things, does it?
>
> Thanks,
>
> Ralf
>
> --
> Sign the EU petition against SPAM:          L I N U X       .~.
> http://www.politik-digital.de/spam/        The  Choice      /V\
>                                             of a  GNU      /( )\
>                                            Generation      ^^-^^