Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Everything and the kitchen sink.

From: Sebastian Ip <9scki () qlink queensu ca>
Date: Sat, 25 Aug 2001 23:07:03 -0400
Eh yeah I have no idea why this is happening. I don't go on IRC and all i did 
today was play Day of Defeat online. I didn't think i pissed anyone off cause 
i haven't port scanned anyone.

But here's a short cut from my dshield report it's all from the same ip.


Aug 25 22:39:09 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22132 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22285 PROTO=TCP SPT=1080 DPT=4236 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22287 PROTO=TCP SPT=1080 DPT=4237 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:11 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22316 PROTO=TCP SPT=1080 DPT=4126 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22355 PROTO=TCP SPT=1080 DPT=4239 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:12 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110D ST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22382 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:14 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22501 PROTO=TCP SPT=1080 DPT=4238 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 25 22:39:15 shangrila kernel: |Firewall NEW,UNVALID| IN=eth1 OUT= 
SRC=212.117.195.110 DST=24.156.214.20 LEN=40 TOS=0x00 PREC=0x00 TTL=232 
ID=22581 PROTO=TCP SPT=1080 DPT=4240 WINDOW=0 RES=0x00 ACK RST URGP=0 

Sorry about the "unvalid" typo and was lazy. Anyhow i have no put in the 
limit match on my firewall rules. This "scan" started at port 1080 and just 
moves up randomly but very aggressively as you can see. It's still going on 
as we speak. From looking at my snort log it appears that the port 1080 
appears randomly at some point during this mad scan.

Does anyone see the same thing happening? What worries me is that this could 
be an attempt to get iptables to mess up in a way that'll let the attacker 
in. Are there such bugs in iptables for 2.4.X kernels? I know about ftp and 
2.4.2 but i don't use that.

Anyhow Cheers

Sebastian Ip

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: