From owner-freebsd-security Mon Oct 12 21:27:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23855 for freebsd-security-outgoing; Mon, 12 Oct 1998 21:27:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.nternet.net (ns.nternet.net [206.154.20.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23849 for ; Mon, 12 Oct 1998 21:27:44 -0700 (PDT) (envelope-from grimace@ns.nternet.net) Received: from localhost (grimace@localhost) by ns.nternet.net (8.8.8/8.8.7) with SMTP id AAA26069 for ; Tue, 13 Oct 1998 00:44:40 -0400 (EDT) Date: Tue, 13 Oct 1998 00:44:40 -0400 (EDT) From: grimace To: security@FreeBSD.ORG Subject: Spoofed connections on port 13223?? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I have investigated to the best of my ability yet have not been able to determine the nature of this attack. Any assistance in helping to diagnose the following will be greatly appreciated. On several occasions, I have experienced spoofed TCP connections to port 13223 on a laptop, running FreeBSD-2.2.6-RELEASE. These connections were logged with the clog package from the ports collection. What really baffles me, is that these attacks are clearly intentional, but I've been unable to determine the significance of port 13223. On one occasion, this attack went on for almost 2 hours, with a pattern of 4 every 2 minutes. I've completely reinstalled FreeBSD, but the same attacks occurred both before and after the reinstall, so I'm reasonably sure I have not been compromised. I've attached the applicable log entries for the latest attacks and the reponse from one ISP whom confirms the attack was spoofed. TIMEZONE: ADT TCP Activity: (with clog) Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 ICMP Activity: (with icmpinfo) Jul 30 05:01:44 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33477 seq=0x00140000 sz=36(+20) Jul 30 05:01:46 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33478 seq=0x00140000 sz=36(+20) Jul 30 05:01:48 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33479 seq=0x00140000 sz=36(+20) >Date sent: Fri, 31 Jul 1998 06:58:50 -0300 (ADT) >From: someone >To: abuse@spoofedhost.org >Subject: Security Concern... >> Hello, >> >> I wish to report a possible security concernn from what appears >> to be one of your users. I have seen the following on several >> occasions, each time from a different IP. This fact, and as the >> following alludes to, makes me suspect that the attack was >> spoofed. I would GREATLY appreciate it, if you could confim/deny >> the following in a timely manner. > Sorry for the delay as I was on vacation and the abuse box did not > forward correctly. I have examined this and it is definitly a spoof. I > will make some further inquires on Monday to find this person(s). >> TCP Activity: >> >> Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 >This is definitly spoofed. The most recent attack occurred on October 10. Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 . Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message