jr_G-man wrote:
> Here is the entry in /var/log/messages:
>
> May 4 06:39:11 smoothwall kernel: IN=eth1 OUT=
> MAC=00:60:97:96:27:a8:00:0e:83:ca:9d:2a:08:00 SRC=210.84.69.233
> DST=68.225.109.162 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=43030 DF
> PROTO=TCP SPT=50044 DPT=37830 WINDOW=65535 RES=0x00 SYN URGP=0
The source IP is from australia. It's almost certainly an infected host looking
for other infected hosts. Since your firewall is catching it there's little
worry for you anyway. If you run a firewall, you can expect to see tons of
this junk.
> Now, I'm trying to understand what is doing this and why? I'm running Snort
> and Guardian on it, so in theory, it should be reacting to these attempts
and > temporarily blocking them, but I need to figure out whether this is
something > I can safely ignore...like Code Red attempts.
Smoothwall IS blocking them. That's what the log message is telling you.
Smoothwall should be configured to block everything inbound that's not
otherwise explicitly allowed by default. Are you running anything on 37830?
('netstat -an | grep 37830| grep LISTEN') Chances are, no.
(06:14:#) whois 210.84.69.233
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 210.84.64.0 - 210.84.127.255
netname: OZEMAIL2-AU
descr: OzEmail Pty Ltd
descr: 39 Herbert St
descr: St Leonards, 2065
descr: New South Wales, Australia
country: AU
admin-c: UI2-AP
tech-c: UI2-AP
remarks: service provider
notify: [EMAIL PROTECTED]
mnt-by: APNIC-HM
mnt-lower: MAINT-DNS-UUNET
status: ALLOCATED PORTABLE
changed: [EMAIL PROTECTED] 20010626
changed: [EMAIL PROTECTED] 20050303
source: APNIC
role: UUNET-AU IPAdmins
address: UUNET House, 203 Pacific Highway
address: St Leonards, NSW, 2065
country: AU
phone: +61-2-9434-5000
fax-no: +61-2-9434-5888
e-mail: [EMAIL PROTECTED]
admin-c: UI2-AP
tech-c: UI2-AP
nic-hdl: UI2-AP
remarks: Admin emails: [EMAIL PROTECTED]
mnt-by: MAINT-DNS-UUNET
changed: [EMAIL PROTECTED] 20050413
source: APNIC
>
>
> Here is the tcpdump:
>
> [EMAIL PROTECTED] log]# tcpdump -npi eth1 port 37830
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
> 06:42:30.524321 IP 69.113.244.183.3796 > 68.225.109.162.37830: S
> 3794296970:3794296970(0) win 64240 <mss 1460,nop,nop,sackOK>
>
>
> (I got three of these in the 10 seconds I let it run.)
>
>
> ...and there is no 'nc' or 'netcat' in Smoothwall. I'm sure I could
> drag and drop it from my Mandrake box, but it's not installed by default
> on Smoothwall.
>
>
> Now, I'm trying to understand what is doing this and why? I'm running
> Snort and Guardian on it, so in theory, it should be reacting to these
> attempts and temporarily blocking them, but I need to figure out whether
> this is something I can safely ignore...like Code Red attempts.
>
> Thanks for your help.
>
>
>
>
> [EMAIL PROTECTED] wrote:
>
>
> Hard to say... are you seeing TCP SYN connects like this:
> (the big S after the ip means SYN bit is set. the big R is RST (reset))
>
> andrea:~# tcpdump -npi eth0 port 37830
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:16:39.153566 IP 192.168.2.70.34351 > 192.168.2.4.37830: S
> 2308344735:2308344735(0) win 5840 <mss 1460,sackOK,timestamp 168616150
> 0,nop,wscale 2>
> 09:16:39.166511 IP 192.168.2.4.37830 > 192.168.2.70.34351: R 0:0(0) ack
> 2308344736 win 0
>
> It could be scanning systems for backdoors.... if it is using any type
> of plain text protocol, you can let it connect using netcat and see what
> it sends:
>
> nc -l -p 37830 > junk.txt
>
> After a successful connect, nc will exit, then you may have some clues
> in junk.txt.
>
> ray
> -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana
> University IBM Certified Specialist AIX Administration, AIX Support
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>
>
> _______________________________________________
> General mailing list
> [email protected]
> http://brlug.net/mailman/listinfo/general_brlug.net
>
--
Scott Harney <[EMAIL PROTECTED]>
"Asking the wrong questions is the leading cause of wrong answers"
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
