Date: Tue, 13 Oct 1998 00:44:40 -0400 (EDT) From: grimace <grimace@ns.nternet.net> To: security@FreeBSD.ORG Subject: Spoofed connections on port 13223?? Message-ID: <Pine.BSF.3.96.981013004343.26044A-100000@ns.nternet.net>
next in thread | raw e-mail | index | archive | help
Hello all, I have investigated to the best of my ability yet have not been able to determine the nature of this attack. Any assistance in helping to diagnose the following will be greatly appreciated. On several occasions, I have experienced spoofed TCP connections to port 13223 on a laptop, running FreeBSD-2.2.6-RELEASE. These connections were logged with the clog package from the ports collection. What really baffles me, is that these attacks are clearly intentional, but I've been unable to determine the significance of port 13223. On one occasion, this attack went on for almost 2 hours, with a pattern of 4 every 2 minutes. I've completely reinstalled FreeBSD, but the same attacks occurred both before and after the reinstall, so I'm reasonably sure I have not been compromised. I've attached the applicable log entries for the latest attacks and the reponse from one ISP whom confirms the attack was spoofed. TIMEZONE: ADT TCP Activity: (with clog) Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 ICMP Activity: (with icmpinfo) Jul 30 05:01:44 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33477 seq=0x00140000 sz=36(+20) Jul 30 05:01:46 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33478 seq=0x00140000 sz=36(+20) Jul 30 05:01:48 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33479 seq=0x00140000 sz=36(+20) >Date sent: Fri, 31 Jul 1998 06:58:50 -0300 (ADT) >From: someone <someone@localhost> >To: abuse@spoofedhost.org >Subject: Security Concern... >> Hello, >> >> I wish to report a possible security concernn from what appears >> to be one of your users. I have seen the following on several >> occasions, each time from a different IP. This fact, and as the >> following alludes to, makes me suspect that the attack was >> spoofed. I would GREATLY appreciate it, if you could confim/deny >> the following in a timely manner. > Sorry for the delay as I was on vacation and the abuse box did not > forward correctly. I have examined this and it is definitly a spoof. I > will make some further inquires on Monday to find this person(s). >> TCP Activity: >> >> Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 >This is definitly spoofed. The most recent attack occurred on October 10. Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 . Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981013004343.26044A-100000>