Board index Linux Security

Strange packets..

Strange packets..

Post by Antti Laukkone » Tue, 08 May 2001 17:24:05



When i woke up this morning and started to read my logs as usually, i found
5 strange packets, all from different times and source addresses.

Im running on a kernel 2.2.7 with firewall ( Ipchains )

abacus_sentry[591]: attackalert: Unknown packet type from host:
some_ip/some_ip to TCP port: 111
 abacus_sentry[591]: attackalert: Packet Flags: SYN: 0 FIN: 0 ACK: 0 PSH: 0
URG: 0 RST: 1
abacus_sentry[591]: attackalert: some_ip has been blocked via wrappers.
abacus_sentry[591]: attackalert: Host some_ip has been blocked via dropped
route.

I have ( atleast i think ) properly configured firewall, denying all
incoming data, how come this packet got through my firewall?

Is there any way to prevent this with ipchains ?

 I dont have any servers running, and i checked with tripwire that nothing
was changed / ran chkrootkit ( paranoid? ;) ).

 
 
 
Top

Strange packets..

Post by Luke Voge » Tue, 08 May 2001 17:36:44



> When i woke up this morning and started to read my logs as usually, i found
> 5 strange packets, all from different times and source addresses.

> Im running on a kernel 2.2.7 with firewall ( Ipchains )

> abacus_sentry[591]: attackalert: Unknown packet type from host:
> some_ip/some_ip to TCP port: 111
>  abacus_sentry[591]: attackalert: Packet Flags: SYN: 0 FIN: 0 ACK: 0 PSH: 0
> URG: 0 RST: 1
> abacus_sentry[591]: attackalert: some_ip has been blocked via wrappers.
> abacus_sentry[591]: attackalert: Host some_ip has been blocked via dropped
> route.

> I have ( atleast i think ) properly configured firewall, denying all
> incoming data, how come this packet got through my firewall?

> Is there any way to prevent this with ipchains ?

>  I dont have any servers running, and i checked with tripwire that nothing
> was changed / ran chkrootkit ( paranoid? ;) ).

Looks like you have received a packet looking for a sunrpc port.
Portsentry seens to have stopped further attempts from that ip by using
tcpwrappers, and presumably adding a new rule to your ipchains rule set.

What is not clear, is how the packet got past your firewall script in
the first place.

I'd be willing to bet thta you are running a default policy of accept,
and that even though you have no services running, the packet still got
through and was caught by portsentry.

I'd be checking your ipchains rules to ensure that you are trapping
everything that you dont explicitly want to allow in.

Go to http://www.linux-firewall-tools.com for a design tool that will
make your life easy.

--
Regards
Luke
------
ego.sh  comes with a self  installer. It is a  single threaded  multi
process daemon  application thats facilitates access to the  infamous
game "rat race". Warning uninstalling may enhance system performance.
------
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 
Top

Strange packets..

Post by Antti Laukkone » Tue, 08 May 2001 18:27:07





> > When i woke up this morning and started to read my logs as usually, i
found
> > 5 strange packets, all from different times and source addresses.

> > Im running on a kernel 2.2.7 with firewall ( Ipchains )

> > abacus_sentry[591]: attackalert: Unknown packet type from host:
> > some_ip/some_ip to TCP port: 111
> >  abacus_sentry[591]: attackalert: Packet Flags: SYN: 0 FIN: 0 ACK: 0
PSH: 0
> > URG: 0 RST: 1
> > abacus_sentry[591]: attackalert: some_ip has been blocked via wrappers.
> > abacus_sentry[591]: attackalert: Host some_ip has been blocked via
dropped
> > route.

> > I have ( atleast i think ) properly configured firewall, denying all
> > incoming data, how come this packet got through my firewall?

> > Is there any way to prevent this with ipchains ?

> >  I dont have any servers running, and i checked with tripwire that
nothing
> > was changed / ran chkrootkit ( paranoid? ;) ).

> Looks like you have received a packet looking for a sunrpc port.
> Portsentry seens to have stopped further attempts from that ip by using
> tcpwrappers, and presumably adding a new rule to your ipchains rule set.
> What is not clear, is how the packet got past your firewall script in
> the first place.

That's what bugs me too :P

Quote:> I'd be willing to bet thta you are running a default policy of accept,
> and that even though you have no services running, the packet still got
> through and was caught by portsentry.

Nope, I have default policy deny and there are no rules to accept any
packets from 'bad hosts'
only from some trusted DNS servers.

Quote:> I'd be checking your ipchains rules to ensure that you are trapping
> everything that you dont explicitly want to allow in.

checked the rules once again, and i didnt find anything what would match to
this.

Quote:> Go to http://www.linux-firewall-tools.com for a design tool that will
> make your life easy.

ok, ill check that out. thanx
 
 
 
Top

Strange packets..

Post by . » Tue, 08 May 2001 19:07:39



Quote:> checked the rules once again, and i didnt find anything what would match
to
> this.

Just to add to the soup, I blocked an IP range from
a host of mine this weekend due to extensive port probes.

    route add -net x.x.x.0 netmask 255.255.255.0 reject

Yet portsentry continued to report the probing after I
dropped the route.

??

 
 
 
Top

Strange packets..

Post by Tim Hayne » Tue, 08 May 2001 19:58:28



> Just to add to the soup, I blocked an IP range from a host of mine this
> weekend due to extensive port probes.

>     route add -net x.x.x.0 netmask 255.255.255.0 reject

> Yet portsentry continued to report the probing after I dropped the route.

Of course it will. They came in through your default route, effectively,
didn't they?

(Never tried setting up a server with the wrong default gateway? People can
send it one SYN packet by all means, but the responses will go down the
spout. All you've done is the same - responses to that block go down the
drain; that doesn't stop them sending you them!)

The solution is: stop logging the blighters.

~Tim
--

Take death on wheels / Re-create the land   | http://piglet.is.dreaming.org

 
 
 
Top

Strange packets..

Post by craw.. » Wed, 09 May 2001 10:53:24



> When i woke up this morning and started to read my logs as usually, i found
> 5 strange packets, all from different times and source addresses.

> Im running on a kernel 2.2.7 with firewall ( Ipchains )

> abacus_sentry[591]: attackalert: Unknown packet type from host:
> some_ip/some_ip to TCP port: 111
>  abacus_sentry[591]: attackalert: Packet Flags: SYN: 0 FIN: 0 ACK: 0 PSH: 0
> URG: 0 RST: 1
> abacus_sentry[591]: attackalert: some_ip has been blocked via wrappers.
> abacus_sentry[591]: attackalert: Host some_ip has been blocked via dropped
> route.

> I have ( atleast i think ) properly configured firewall, denying all
> incoming data, how come this packet got through my firewall?

If I read this correctly, then this is a RST packet. some_ip could have
received a spoofed TCP:111 packet with the source IP being your IP. If
this is the case, then you are getting the RST reply from some_ip.

RST packets could be getting passed your firewall? Accepting incoming
non-SYN packets to priveleged ports?

Note that one could perform a "DoS" against your computer by spoofing
your IP; e.g., substitute some_ip with yahoo, cnn, slashdot, etc...

Clyde

 
 
 
Top

1. Strange packet log: hacked?

Hi all,

I have a RH7.2 computer as firewall to outside cable. Inside is private
LAN with web server that I accessed by port forwarding on firewall.
The following two lines in my firewall script:

$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG \
        --log-prefix "FW NEW no syn: "
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

and I am getting A LOT of logged drops with source address the internal
Linux web server and a variety of destination addresses. Some of them are
addresses which I have recently visited, others I don't recognize
(usually I get a terse "Not Found" when I try to visit the site). Is
there reason for alarm or is there another explanation?

64.37.205.20 is source address example. Also this IP is showing up in the
logs as being blocked from outside the firewall also. Here are some
lines from the log.

Jan  4 21:21:14  kernel: New - no syn: IN=eth1 OUT=eth0
        SRC=10.1.1.3 DST=64.37.205.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63
        ID=61082 DF PROTO=TCP SPT=38110 DPT=80 WINDOW=6432 RES=0x00
        ACK FIN URGP=0
Jan  4 21:22:50  kernel: IPTABLES TCP-IN: IN=eth0
        OUT= MAC=00:50:04:c2:ac:9a:00:04:28:24:9c:70:08:00
        SRC=64.37.205.20 DST=24.17.113.56 LEN=41 TOS=0x00 PREC=0x00
        TTL=118 ID=12848 DF PROTO=TCP SPT=80 DPT=38110 WINDOW=5865
        RES=0x00 ACK URGP=0

I'm fairly new at reading packet logs, so would appreciate some help.
Also, how do I do a tcpdump???? I can't find that program on my computer.
TIA,
Jackson

2. how do I check to see if a dir exists in a script?

3. Strange packets

4. Max FD's per process ?

5. Strange, packet command initiated... Fixed!

6. Support for Cirrus Logic GD754X graphics chip?

7. strange packet

8. Minilinux install problem - Hard disk not detected correctly...

9. strange packets knocking on firewall

10. strange packets

11. Strange packets in filterlog...

12. Attack?: strange packets with 0.0.0.0 source and various destination IPs and ports

13. SMTP - strange packet caught by iptables?


All times are UTC
Board index