hi! I'm attaching a file containing excerpts from my syslog. Wanted to generate some discussion regarding interpretation of the entries.... fyi, I'm behind a proxy server.I've got iptables running. you can look at the file first, and then read on..
my two cents.. this is a malicious attempt-not innocent at all!! hint:same destination and source ports...
most certainly, the source IPs are spoofed, the attacker is within the LAN that i;m part of. hint:packet with a destination of all 255s...
I've also got snort running on the same machine....it didnt generate any alerts...
does anyone recognise any particular scanner's signature here? anyone know what particular exploit(s) this guy was looking for? inviting more inputs from u guys.
regards, kishor
__________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com
Sometime on Dec 29, kishor bhagwat assembled some asciibets to say:
this is a malicious attempt-not innocent at all!! hint:same destination and source ports...
Only in the case of SPT, DPT 22, 111. Others have seemingly random SPT
You've got connect attempts (SYN packets) on ports 21, 22, 25, 111 (ftp, ssh, smtp, portmapper/sunrpc).
My guess is that someone is looking to see if you (or anyone on the network (broadcast address)) have these services running. Can't tell if they're just probing for running services, of if they're actually looking for exploits. All I know is that all of the above have known vulnerabilities and exploits.
21 - wu-ftpd - buffer overflow gives root shell - fixed? 22 - openssh - buffer overflow gives root shell - fixed 25 - sendmail - loads of bugs - fixed 111 - portmapper - rpc, nfs - say no more
Philip
----- Original Message ----- From: Philip S Tellis philip.tellis@iname.com To: linuxers@mm.ilug-bom.org.in Sent: Sunday, December 30, 2001 12:34 AM Subject: Re: [ILUG-BOM] [sec] scanning signs
Sometime on Dec 29, kishor bhagwat assembled some asciibets to say:
this is a malicious attempt-not innocent at all!! hint:same destination and source ports...
Only in the case of SPT, DPT 22, 111. Others have seemingly random
SPT
You've got connect attempts (SYN packets) on ports 21, 22, 25, 111 (ftp, ssh, smtp, portmapper/sunrpc).
My guess is that someone is looking to see if you (or anyone on the network (broadcast address)) have these services running. Can't
tell if
they're just probing for running services, of if they're actually looking for exploits. All I know is that all of the above have
known
vulnerabilities and exploits.
ok..look what snort picked up from the network.!!a nice little custom-made IP fragment.. somebody on my network is really active eh?!!!
have we got him/her?!! || 12/29-20:21:16.941716 0:80:AD:7F:16:46 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x6E 0.1.0.1 -> 0.1.0.1 CHAOS TTL:172 TOS:0x0 ID:28851 IpLen:20 DgmLen:96 DF Frag Offset: 0x13C2 Frag Size: 0x4C 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 00 ............... 00 01 00 03 00 01 00 32 00 01 00 AF 00 01 00 FF .......2........ 00 01 00 65 00 01 01 CB 01 01 01 4A 01 01 00 FC ...e.......J.... 00 01 00 A8 00 01 00 AC 00 01 00 AA 00 01 00 80 ................ 00 01 00 46 00 01 00 02 00 01 01 00 ...F........
I'm also wondering about the role of snort and iptables. Where exactly does snort hook into the netfilter mechanism?(does it hook into it first of all?) Does snort receive packets after iptables is thru with them? is it simultaneous?
regards, kishor
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
-
kishor bhagwat -
Kishor Bhagwat
-
Philip S Tellis