Nothing runing on 37830. As you said, Smoothwall IS blocking it...so, I'm fairly safe there. I guess the only problem left is that it's filling my log files up, and preventing me from seeing the 'useful' information. I was looking to see if this port was known to be associated with any current virii. If so, I can go in and tell it to ignore it and don't log it. Only problem is that I have not been able to find any information about that port at all.
[EMAIL PROTECTED] wrote: > > >------------------------------ > >Message: 3 >Date: Wed, 04 May 2005 07:15:07 -0500 >From: Scott Harney <[EMAIL PROTECTED]> >Subject: Re: [brlug-general] Re: General Digest, Vol 23, Issue 8 >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >jr_G-man wrote: > > >>Here is the entry in /var/log/messages: >> >>May 4 06:39:11 smoothwall kernel: IN=eth1 OUT= >>MAC=00:60:97:96:27:a8:00:0e:83:ca:9d:2a:08:00 SRC=210.84.69.233 >>DST=68.225.109.162 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=43030 DF >>PROTO=TCP SPT=50044 DPT=37830 WINDOW=65535 RES=0x00 SYN URGP=0 >> >> > > >The source IP is from australia. It's almost certainly an infected host >looking >for other infected hosts. Since your firewall is catching it there's little >worry for you anyway. If you run a firewall, you can expect to see tons of >this junk. > > > Now, I'm trying to understand what is doing this and why? I'm running > > Snort > > and Guardian on it, so in theory, it should be reacting to these attempts >and > temporarily blocking them, but I need to figure out whether this is >something > I can safely ignore...like Code Red attempts. > >Smoothwall IS blocking them. That's what the log message is telling you. >Smoothwall should be configured to block everything inbound that's not >otherwise explicitly allowed by default. Are you running anything on 37830? >('netstat -an | grep 37830| grep LISTEN') Chances are, no. > > > (06:14:#) whois 210.84.69.233 >% [whois.apnic.net node-1] >% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html > >inetnum: 210.84.64.0 - 210.84.127.255 >netname: OZEMAIL2-AU >descr: OzEmail Pty Ltd >descr: 39 Herbert St >descr: St Leonards, 2065 >descr: New South Wales, Australia >country: AU >admin-c: UI2-AP >tech-c: UI2-AP >remarks: service provider >notify: [EMAIL PROTECTED] >mnt-by: APNIC-HM >mnt-lower: MAINT-DNS-UUNET >status: ALLOCATED PORTABLE >changed: [EMAIL PROTECTED] 20010626 >changed: [EMAIL PROTECTED] 20050303 >source: APNIC > >role: UUNET-AU IPAdmins >address: UUNET House, 203 Pacific Highway >address: St Leonards, NSW, 2065 >country: AU >phone: +61-2-9434-5000 >fax-no: +61-2-9434-5888 >e-mail: [EMAIL PROTECTED] >admin-c: UI2-AP >tech-c: UI2-AP >nic-hdl: UI2-AP >remarks: Admin emails: [EMAIL PROTECTED] >mnt-by: MAINT-DNS-UUNET >changed: [EMAIL PROTECTED] 20050413 >source: APNIC > > > >>Here is the tcpdump: >> >>[EMAIL PROTECTED] log]# tcpdump -npi eth1 port 37830 >>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes >>06:42:30.524321 IP 69.113.244.183.3796 > 68.225.109.162.37830: S >>3794296970:3794296970(0) win 64240 <mss 1460,nop,nop,sackOK> >> >> >>(I got three of these in the 10 seconds I let it run.) >> >> >>...and there is no 'nc' or 'netcat' in Smoothwall. I'm sure I could >>drag and drop it from my Mandrake box, but it's not installed by default >>on Smoothwall. >> >> >>Now, I'm trying to understand what is doing this and why? I'm running >>Snort and Guardian on it, so in theory, it should be reacting to these >>attempts and temporarily blocking them, but I need to figure out whether >>this is something I can safely ignore...like Code Red attempts. >> >>Thanks for your help. >> >> >> >> >>[EMAIL PROTECTED] wrote: >> >> >>Hard to say... are you seeing TCP SYN connects like this: >>(the big S after the ip means SYN bit is set. the big R is RST (reset)) >> >>andrea:~# tcpdump -npi eth0 port 37830 >>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes >>09:16:39.153566 IP 192.168.2.70.34351 > 192.168.2.4.37830: S >>2308344735:2308344735(0) win 5840 <mss 1460,sackOK,timestamp 168616150 >>0,nop,wscale 2> >>09:16:39.166511 IP 192.168.2.4.37830 > 192.168.2.70.34351: R 0:0(0) ack >>2308344736 win 0 >> >>It could be scanning systems for backdoors.... if it is using any type >>of plain text protocol, you can let it connect using netcat and see what >>it sends: >> >>nc -l -p 37830 > junk.txt >> >>After a successful connect, nc will exit, then you may have some clues >>in junk.txt. >> >>ray >>-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana >>University IBM Certified Specialist AIX Administration, AIX Support >>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> >> >>_______________________________________________ >>General mailing list >>[email protected] >>http://brlug.net/mailman/listinfo/general_brlug.net >> >> >> > > > >
