Ports advice...

tom tmarinis99
Mon May 17 11:43:39 PDT 2004 

tmarinis99 wrote:

Greets List;  Forgive my ignorace and the length of
the message, but I'm stumped, and have been for 
about 35 days now.

I'm getting some really weird port probes here on my
home-made firewall lately.  I'm stumped because I'm 
unaware of what exactly my attacker(s) is looking for.

I've seen a sudden large bump of traffic consistently probing
random unassigned port locations before, so I am wondering 
if there is a new vunerability out there, or if this is a 
simple nmap probe, or more likely someone running a server
with a misconfigured service? 


The ports numbers being consistently attacked are;

1101, 3059, 16692, 22954, 29169, 38891, 60380, 62353.


Under http://www.iana.org/assignments/port-numbers
for the list date of Jan 17th 2003 I have read that the
ports are listed in this manner;

1101 is listed as a PT2-DISCOVER.
[ I don't have a clue as to what this service is at all ]

3509 is listed as qsoft ( I'm guessing a misconfigured 
server/game/product/software which I'm assuming is manufactured
by qsoft, I'm not going to worry about this one.  I run nothing
from qsoft here ).

16692, 22954, 29169, 38891, 60380 are listed as unassigned.
This is stumping me though. [ WTF ???? ]

The IP's attacking me are 64.12.137.1-56 inclusive.  I've
been wondering now if they are not spoofed or not.  They are 
always from this range.

Searching ARIN, the whois gave me 64.12.X.X  AOL as the owner.

The attacks start on a regular basis, from 10:00am PST 
until 1:00pm PST, then starts again at 8:00pm to 3-4 am.

They've started last month, first hit 22nd December
just before Christmas 2002.  They last for a few hours, then
die off.

Looking over some CERT alerts, nothing listed there that
I read so far is reaches the above mentioned ports.

Has anyone else seen attacks on these ports anywhere
lately, or is there some new service that I should be 
aware of that maybe I haven't locked down properly
inside my network?

===

The firewall I'm running is a simple border type, a
Intel Pentium 586, 48 megs ram, 2 NICS, and a wee 
3 GB hard drive, install date August 27th 2001.

I run a DHCP client to obtain a IP from ISP on one NIC, 
and a DHCP server for the clients for internet 
connectivity on the second NIC, with no other services
provided or daemons running.

The firewall has no sendmail, no ssh, 
no serial comm software like tip [ removed ], 
there is no X [period, all libs removed], no ppp [removed],
no http services [ removed ], no portmap, no r<services>
whatsoever, access is by Keyboard and monitor, 2 terminals
are permitted to run, but that's it.

I have also removed;
the gcc compiler, ftp, lynx, most of the bin utils,
except the {ipf} packet filter, nmap.

No holes in firewall to the internet for connections made 
to the internal services of the network.  I provide
no services whatsoever.

The clients inside the network use the firewall for simple 
web browsing/e-mail and  ftp services, period.  There are 
no http services running inside the network.

E-Mail is provided to me via smtp OUTSIDE my network from my 
ISP. Or I use netscape mail sometimes, like I'm doing now.

Everything else is either blocked, logged, and then dropped.


Sample log with a definition below ;

Jan 29 09:19:25.221984 REDDWARF              rl1 @0:82b
64.12.137.8,5006 -> 207.6.233.24,29169 PR udp len 20 78 IN  
Jan 29 09:19:25.888960 REDDWARF              rl1 @0:14b
64.12.137.5,64904 -> 207.6.233.24,22954 PR tcp 20 60 -S IN
============

TIMESTAMP:
rl1                 ===> Ethernet interface ( external ).
64.12.X.X,Y         ===> attacker.IP.ADDRESS,PORT connection
207.6.233.23,29169  ===> My.IP.ADDRESS.
PR tcp/udp          ===> Protocol, packet/frame/payload length
-S                  ===> SYN packet recieved by firewall
IN                  ===> Direction of traffic travel

[ Goes on for several thousand lines for over a few hours. ]


Is there something I should be looking for in particular, or
is this due to the M$ MYSQL Worm that going around lately?
I typically see 1433, 1434, but not the above mentioned ports.

Thanks muchly...

 
---tm---
Linux Registration Number; 184093, 
http://counter.li.org





__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

More information about the Linux-users mailing list