On Monday 17 February 2003 04:16 am, civileme wrote: > On Sunday 16 February 2003 02:18 pm, Kaj Haulrich wrote: > > When doing a dmesg I get all the usual stuff, but > > lately a new thing - at least to me - is showing up. > > The last stanzas grow bigger and bigger and reads a > > lot like this : > > > > <snip> > > Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > > SRC=80.192.8.112 > > DST=80.198.60.128 LEN=48 TOS=0x00 PREC=0x00 TTL=114 > > ID=56266 DF PROTO=TCP SPT=3147 DPT=1214 > > WINDOW=64240 RES=0x00 SYN URGP=0 > > Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > > PREC=0x00 TTL=117 ID=53207 DF PROTO=TCP > > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > > Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > > PREC=0x00 TTL=117 ID=53220 DF PROTO=TCP > > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > > Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:50:ba:c6:65:6a:00:08:a4:cb:f0:38:08:00 > > SRC=217.235.136.240 DST=80.198.60.128 LEN=48 TOS=0x00 > > PREC=0x00 TTL=117 ID=53257 DF PROTO=TCP > > SPT=24207 DPT=1214 WINDOW=16384 RES=0x00 SYN URGP=0 > > </snip> > > > > To me it seems like shorewall is stopping someone - > > actually a lot - trying to do a portscan on me. Now, > > when I do a *whois* on all those URL's it seems that I > > get both decent ISP's as well as more clandestine > > ones. > > > > What's going on ? - Can someone decipher this ? > > > > TIA > > > > Kaj Haulrich. > > =========================================== > > Powered by Linux - Mandrake > > 9.0 Registered Linux user # 214073 at > > http://counter.li.org Source : my 100 % > > Microsoft-free personal computer. > > =========================================== > > Most likely that is a portscan with decoys. Shorewall > is good enough to catch a SYN scan apparently, with a > little help from kernel 2.4/iptables... I don't much > like the scanner with the WINDOW numbers it is putting > out ... Way too big for most communications except an > upload/download and too small to block a man-in-middle.. > TCP is a 3-way handshake which can be desynched by a > clever attacker,,, but that is another story. > > You might try listening at other IP addresses in your > subnet to see if this joker is scanning your whole > subnet--but the DPTis always 1214?
Yes, invariably. > I am showing some similar SYN/RST stuff but hitting > ports 443, 1080, 1433, 2852 > 2852 is a port used by some popular windows trojans > 1433 is MSSQL so that's probably slammer > 1080 is socks proxy (yep another WINexploit port) > 443 might be respectable or it might be slapper I don't see those ports listed in dmesg. > 1214 is KaZaa file sharing but the Lirva Virus is trying > to spread via KaZaa as well as by many other methods > (and Lirva is NASTY in its payload, deactivating > antivirus scanners and emailing all the passwords > windows stores to one of two hardwired addresses in > Kazakhstan,) I think you probably encountered a Lirva > scan as it has been internet active lately, choking many > mailservers with crap, courtesy of Windows, Outlook, > MSIE, mIRC, ICQ (windows client) IIS, and KaZaa. > > > Civileme So I think it's Lirva bouncing it's head against my shorewall. Nothing to worry about on a linux-box. Is it worth the effort to alert those ISPs like they seem to imply in their *abuse* messages ? As always : thanks, Civileme. Kaj Haulrich. =========================================== Powered by Linux - Mandrake 9.0 Registered Linux user # 214073 at http://counter.li.org Source : my 100 % Microsoft-free personal computer. ===========================================
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
