tmarinis99 wrote: Greets List; Forgive my ignorace and the length of the message, but I'm stumped, and have been for about 35 days now.
I'm getting some really weird port probes here on my home-made firewall lately. I'm stumped because I'm unaware of what exactly my attacker(s) is looking for. I've seen a sudden large bump of traffic consistently probing random unassigned port locations before, so I am wondering if there is a new vunerability out there, or if this is a simple nmap probe, or more likely someone running a server with a misconfigured service? The ports numbers being consistently attacked are; 1101, 3059, 16692, 22954, 29169, 38891, 60380, 62353. Under http://www.iana.org/assignments/port-numbers for the list date of Jan 17th 2003 I have read that the ports are listed in this manner; 1101 is listed as a PT2-DISCOVER. [ I don't have a clue as to what this service is at all ] 3509 is listed as qsoft ( I'm guessing a misconfigured server/game/product/software which I'm assuming is manufactured by qsoft, I'm not going to worry about this one. I run nothing from qsoft here ). 16692, 22954, 29169, 38891, 60380 are listed as unassigned. This is stumping me though. [ WTF ???? ] The IP's attacking me are 64.12.137.1-56 inclusive. I've been wondering now if they are not spoofed or not. They are always from this range. Searching ARIN, the whois gave me 64.12.X.X AOL as the owner. The attacks start on a regular basis, from 10:00am PST until 1:00pm PST, then starts again at 8:00pm to 3-4 am. They've started last month, first hit 22nd December just before Christmas 2002. They last for a few hours, then die off. Looking over some CERT alerts, nothing listed there that I read so far is reaches the above mentioned ports. Has anyone else seen attacks on these ports anywhere lately, or is there some new service that I should be aware of that maybe I haven't locked down properly inside my network? === The firewall I'm running is a simple border type, a Intel Pentium 586, 48 megs ram, 2 NICS, and a wee 3 GB hard drive, install date August 27th 2001. I run a DHCP client to obtain a IP from ISP on one NIC, and a DHCP server for the clients for internet connectivity on the second NIC, with no other services provided or daemons running. The firewall has no sendmail, no ssh, no serial comm software like tip [ removed ], there is no X [period, all libs removed], no ppp [removed], no http services [ removed ], no portmap, no r<services> whatsoever, access is by Keyboard and monitor, 2 terminals are permitted to run, but that's it. I have also removed; the gcc compiler, ftp, lynx, most of the bin utils, except the {ipf} packet filter, nmap. No holes in firewall to the internet for connections made to the internal services of the network. I provide no services whatsoever. The clients inside the network use the firewall for simple web browsing/e-mail and ftp services, period. There are no http services running inside the network. E-Mail is provided to me via smtp OUTSIDE my network from my ISP. Or I use netscape mail sometimes, like I'm doing now. Everything else is either blocked, logged, and then dropped. Sample log with a definition below ; Jan 29 09:19:25.221984 REDDWARF rl1 @0:82b 64.12.137.8,5006 -> 207.6.233.24,29169 PR udp len 20 78 IN Jan 29 09:19:25.888960 REDDWARF rl1 @0:14b 64.12.137.5,64904 -> 207.6.233.24,22954 PR tcp 20 60 -S IN ============ TIMESTAMP: rl1 ===> Ethernet interface ( external ). 64.12.X.X,Y ===> attacker.IP.ADDRESS,PORT connection 207.6.233.23,29169 ===> My.IP.ADDRESS. PR tcp/udp ===> Protocol, packet/frame/payload length -S ===> SYN packet recieved by firewall IN ===> Direction of traffic travel [ Goes on for several thousand lines for over a few hours. ] Is there something I should be looking for in particular, or is this due to the M$ MYSQL Worm that going around lately? I typically see 1433, 1434, but not the above mentioned ports. Thanks muchly... ---tm--- Linux Registration Number; 184093, http://counter.li.org __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
