On Sunday 16 February 2003 02:18 pm, Kaj Haulrich wrote: > When doing a dmesg I get all the usual stuff, but lately a > new thing - at least to me - is showing up. The last > stanzas grow bigger and bigger and reads a lot like this : > > <snip> > Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > SRC=80.192.8.112 > DST=80.198.60.128 LEN=48 TOS=0x00 PREC=0x00 TTL=114 > ID=56266 DF PROTO=TCP SPT=3147 DPT=1214 > WINDOW=64240 RES=0x00 SYN URGP=0 > Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > PREC=0x00 TTL=117 ID=53207 DF PROTO=TCP > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > PREC=0x00 TTL=117 ID=53220 DF PROTO=TCP > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > PREC=0x00 TTL=117 ID=53257 DF PROTO=TCP > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > </snip> > > To me it seems like shorewall is stopping someone - > actually a lot - trying to do a portscan on me. Now, > when I do a *whois* on all those URL's it seems that I get > both decent ISP's as well as more clandestine ones. > > What's going on ? - Can someone decipher this ? > > TIA > > Kaj Haulrich. > =========================================== > Powered by Linux - Mandrake 9.0 > Registered Linux user # 214073 at http://counter.li.org > Source : my 100 % Microsoft-free personal computer. > =========================================== Most likely that is a portscan with decoys. Shorewall is good enough to catch a SYN scan apparently, with a little help from kernel 2.4/iptables... I don't much like the scanner with the WINDOW numbers it is putting out ... Way too big for most communications except an upload/download and too small to block a man-in-middle.. TCP is a 3-way handshake which can be desynched by a clever attacker,,, but that is another story.
You might try listening at other IP addresses in your subnet to see if this joker is scanning your whole subnet--but the DPTis always 1214? I am showing some similar SYN/RST stuff but hitting ports 443, 1080, 1433, 2852 2852 is a port used by some popular windows trojans 1433 is MSSQL so that's probably slammer 1080 is socks proxy (yep another WINexploit port) 443 might be respectable or it might be slapper 1214 is KaZaa file sharing but the Lirva Virus is trying to spread via KaZaa as well as by many other methods (and Lirva is NASTY in its payload, deactivating antivirus scanners and emailing all the passwords windows stores to one of two hardwired addresses in Kazakhstan,) I think you probably encountered a Lirva scan as it has been internet active lately, choking many mailservers with crap, courtesy of Windows, Outlook, MSIE, mIRC, ICQ (windows client) IIS, and KaZaa. Civileme
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
