[brlug-general] Re: General Digest, Vol 23, Issue 8

Wed May 4 06:53:20 2005 

Here is the entry in /var/log/messages:

May  4 06:39:11 smoothwall kernel: IN=eth1 OUT= 
MAC=00:60:97:96:27:a8:00:0e:83:ca:9d:2a:08:00 SRC=210.84.69.233 
DST=68.225.109.162 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=43030 DF 
PROTO=TCP SPT=50044 DPT=37830 WINDOW=65535 RES=0x00 SYN URGP=0



Here is the tcpdump:

[EMAIL PROTECTED] log]# tcpdump -npi eth1 port 37830
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
06:42:30.524321 IP 69.113.244.183.3796 > 68.225.109.162.37830: S 
3794296970:3794296970(0) win 64240 <mss 1460,nop,nop,sackOK>


(I got three of these in the 10 seconds I let it run.)


...and there is no 'nc' or 'netcat' in Smoothwall.  I'm sure I could 
drag and drop it from my Mandrake box, but it's not installed by default 
on Smoothwall.


Now, I'm trying to understand what is doing this and why?  I'm running 
Snort and Guardian on it, so in theory, it should be reacting to these 
attempts and temporarily blocking them, but I need to figure out whether 
this is something I can safely ignore...like Code Red attempts.

Thanks for your help.




[EMAIL PROTECTED] wrote:


Hard to say... are you seeing TCP SYN connects like this:
(the big S after the ip means SYN bit is set.  the big R is RST (reset))

andrea:~# tcpdump -npi eth0 port 37830
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:16:39.153566 IP 192.168.2.70.34351 > 192.168.2.4.37830: S 
2308344735:2308344735(0) win 5840 <mss 1460,sackOK,timestamp 168616150 
0,nop,wscale 2>
09:16:39.166511 IP 192.168.2.4.37830 > 192.168.2.70.34351: R 0:0(0) ack 
2308344736 win 0

It could be scanning systems for backdoors.... if it is using any type of 
plain text protocol, you can let it connect using netcat and see what it 
sends:

nc -l -p  37830 > junk.txt

After a successful connect, nc will exit, then you may have some clues in 
junk.txt.

ray
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana 
University IBM Certified Specialist AIX Administration, AIX Support 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Reply via email to