Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Feb 2002 01:22:25 -0500
From:      Jim Conner <jconner@enterit.com>
To:        "James Green" <james@stealthnet.co.uk>
Cc:        <freebsd-questions@freebsd.org>
Subject:   RE: Am I being hacked?! Strange connection attempts
Message-ID:  <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com>
In-Reply-To: <IGEPIJPNHPMGCANGLCBHGEHJCBAA.james@stealthnet.co.uk>
References:  <20020212170133.3bf6d5c9.johann@broadpark.no>

next in thread | previous in thread | raw e-mail | index | archive | help
At 16:27 02.12.2002 +0000, James Green wrote:
> > During the last few weeks (months?) I've been getting a few
> > thousand of these into /var/log/messages:
> >
> > Feb 12 14:37:36 ninja ftpd[4697]: FTP LOGIN FAILED FROM
> > mp-217-217-113.daxnet.no, johann
>
>Someone is trying to connect to your ftp service and is being denied
>acceess.
>
> > And today, I've been getting about a few hundred of these
> > (although all on different ports):
> >
> > Feb 12 14:56:16 ninja /kernel: Connection attempt to TCP
> > 10.0.0.2:1433 from 61.153.3.67:2230
>
>10.0.0.* is I think a private IP space for local LANs. Dunno about that.
>
> > Excactly what is going on?
>
>Well someone is probably portscanning your machine, finding interesting open
>ports like ftp and attempting to connect to them. You can log this sort of
>activity, check freshmeat.net for software and lots of sites for security
>advice.

Ok.  Yup, James, you are right.  10.* is a private IP address 
block.  Therefore, the fact that there is a connect attempt on port 1433 
from a real IP address to an internal address could be hoakie if...*if* 
J.S. is NOT forwarding the ports or has this machine in his DMZ or 
something.  If he has it blocked, however (or not in the DMZ) then this, to 
me, looks like someone is port-scanning and they are taking advantage of 
J.S.'s stateless firewall.  They are probably using a a syn+ack scan or 
something.  This kind of scan, IIRC, is capable of fooling the firewall 
into thinking that the inside host made a request to the outside world and 
therefore the fw happily passes the packets along.  The victim machine 
should just send a tcp 'rst'  (reset) when encountering these kinds of 
packets, since it didn't actually request anything from the attacker 
machine.  This tcp 'rst' is what gives the attacker the knowledge that the 
victim is there and is listening on that port.  If the port isn't open on 
the victim host the host simply doesn't answer.  This is a very effective 
type of scan and is quite easy to manipulate using a tool like nmap.

I believe I got that right (going from memory from my GIAC training).  Oth, 
I could be totally off but at first glance and without doing a whole lot 
more of investigating, this would be my first guess.

Anyone else?

- Jim

>James Green
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org



- Jim

Philosophy is for those who have nothing better to do than wonder
why philosophy is for those who have nothing better to do than...


mQGiBDxAonQRBACx+sz63XIeo5uTzc5n3Elf7Y13VVZGIM8Pilp3LpBu70/nGQPu
anKYDB3aa1U5cfl+cTK5lOtUxN7Fu0a2Uv0ApIlC1qA8CjDZqlu7PDETFTVrpfGZ
007BHO+y2Y0bVsaMPXdnhbi0LAFSIkNYRhyzNWbAkeMsgA+i2k9hcnhvVwCgor7P
nflXu7xWN9aWt3RJBzqdUR0EAK/1obJFUKQSK39cKTMPQ4u2UPflbS5dJ871naG5
xBAlQAjHAXT+f/fXE2ezrSyoQnlOD4kVbPN3gB5UT5mWoylPuf5W7WmupthVzUUN
IsPDbmAT0YOwgALCfJVS+PrPCC8opmZhTjQBwgxCSY9MWULlzN3X2EEDqWIxluYb
o5W/BACgHA+aFOO5F03QZBBScWn9YBS1ZH3sSlkQEK5RiwGXLmHJacOjn660SbOE
MEKPDLDDJu/vt1fb3VRLc/fPB3aB7fi4XagfobaHbID9rx55slLhD94Q+5JuJSfg
DyJ+vVSA1k+9/SynflPl0QY5zt0xSM+0CBg9mBg2bPyuGsDwXLQ5SmltIENvbm5l
ciAoTmV3IEdQRyBLZXkgZm9yIFNuYWZ1WCkgPGpjb25uZXJAZW50ZXJpdC5jb20+
iFcEExECABcFAjxAonQFCwcKAwQDFQMCAxYCAQIXgAAKCRDmnFh04+r7ZdFiAKCh
t8Vq7ZT6qvh9Dzn0lzZXRM4gywCfSLU/H5UHX7ZoxapfDs9pLxEEZeO5Ag0EPECj
chAIAIsdwiPqW8IsumvpXu59qkfsi4H2nofxvbhMDiapEhgloydehNQOEiHwC/O1
a06PjUmNRLRdK88kjy99R84ILbWUJZUclQB2LcjlttnrIG/FzCMxoLTKOeOCJk8N
ONswBdJdcf/XqbWJBTs/MXeNf4rmShYi6WJ5+jc1IE5PXGf4SR/9bz2r+/GESlrX
tAoNtWl5a/NUxb6b0hR6zU9Y6oO1vpDDJNbcV9mafdYhsvoFYdD2c6JF+JoN+FHR
tEP3k6leYwQ5P0kuUQNgWdWNWZfBq1tQDBfhg1/AV0JBzamyJfd0prFmtUEemKx4
haDsOoT4gLSPNTqSsyDt6TNLtGMAAwUIAINeot1FVpree5bvhy3xL+Pr1UGb++DM
b8Qeer6ERkVQNx7YoU8hfpqOwvEQMyfb9s6HPfSWRUfQRF+g+9ohPgYkH+1nqH3V
PtGSw1kgLOqxZQTVPEcAMhSflt9LSJETIQQByKKh1e5RvOuApwBFmQq3syRhzqv/
j2b6t3IqAB9WR5TnoYkdUtTWM9MGubiFl5B9uH5EHWAlFF8h760U7Xp9m1J3qTyH
EJqjfGj2SP2DK5cisuWOWdPy5aSqT7ZKrcKeSTDUyiHclI1ygFHue8oO0HXqrs+k
KjFdRqIKnzfY9gW/b/6gLHhBDV6BoA9w6+1Y9egOByRcVonE8zY/xMeIRgQYEQIA
BgUCPECjcgAKCRDmnFh04+r7ZcyDAJ4ogYX7W4u8g+QJsksyL4Ld+dObCwCfU7hB
7I3ZgTsYwP6mr5RPjkH5PG8=
=QOu8
-----END PGP PUBLIC KEY BLOCK-----
__END__


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020213011306.0340ce68>