Date: Mon, 8 Sep 2003 22:20:36 -0700 From: Randy Bush <randy@psg.com> To: freebsd-security@freebsd.org Subject: is one of my hosts a scanner? Message-ID: <E19wavc-000LTN-VI@ran.psg.com>
next in thread | raw e-mail | index | archive | help
so i just found that one of my hosts is GENERATING these probe pairs, maybe every minute or two (note the sequence numbers): seq my host victim(s) --- ---------------- --------------- 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 40) 192.168.0.2:1125 <--> 216.52.3.4:2703 49) 192.168.0.2:1129 <--> 216.52.3.2:2703 50) 192.168.0.2:1130 <--> 216.52.3.4:2703 71) 192.168.0.2:1136 <--> 216.52.3.2:2703 72) 192.168.0.2:1137 <--> 216.52.3.4:2703 83) 192.168.0.2:1141 <--> 216.52.3.2:2703 84) 192.168.0.2:1142 <--> 216.52.3.4:2703 the host in the 1918 space is mine. the gap in the sequential scan is because those ports were otherwise occupied. a single probe looks like 21:30:32.310999 192.168.0.2.1141 > 216.52.3.2.2703: S 2059265893:2059265893(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 54731668 0> (DF) 21:30:32.477021 216.52.3.2.2703 > 192.168.0.2.1141: S 1009079948:1009079948(0) ack 2059265894 win 5792 <mss 1460,nop,nop,timestamp 1121328035 54731668,nop,wscale 0> (DF) 21:30:32.477061 192.168.0.2.1141 > 216.52.3.2.2703: . ack 1 win 57920 <nop,nop,timestamp 54731685 1121328035> (DF) 21:30:32.687121 216.52.3.2.2703 > 192.168.0.2.1141: P 1:36(35) ack 1 win 5792 <nop,nop,timestamp 1121328056 54731685> (DF) 21:30:32.687728 192.168.0.2.1141 > 216.52.3.2.2703: P 1:13(12) ack 36 win 57920 <nop,nop,timestamp 54731706 1121328056> (DF) 21:30:33.027105 216.52.3.2.2703 > 192.168.0.2.1141: . ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF) 21:30:33.028032 216.52.3.2.2703 > 192.168.0.2.1141: P 36:90(54) ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF) 21:30:33.028724 192.168.0.2.1141 > 216.52.3.2.2703: P 13:25(12) ack 90 win 57920 <nop,nop,timestamp 54731740 1121328074> (DF) 21:30:33.187272 216.52.3.2.2703 > 192.168.0.2.1141: P 90:141(51) ack 25 win 5792 <nop,nop,timestamp 1121328108 54731740> (DF) 21:30:33.196247 192.168.0.2.1141 > 216.52.3.2.2703: P 25:30(5) ack 141 win 57920 <nop,nop,timestamp 54731757 1121328108> (DF) 21:30:33.427044 216.52.3.2.2703 > 192.168.0.2.1141: R 141:141(0) ack 30 win 5792 <nop,nop,timestamp 1121328130 54731757> (DF) iana says port 2703 is sms-chat. google for "sms-chat protocol" produces two hacker texts in deutsch, which i tried to wade through but it was a lot of cryptic twisty passages. sms seems to be some sort of microsloth protocol. and, from samba-land docs "The version of netmon that ships with SMS allows for dumping packets between any two computers (i.e. placing the network interface in promiscuous mode)" now the host doing the probes o is the only one of my hosts doing it o is the only one of my hosts running samba, 2.2.8a no ports are in promiscuous mode, that i can see (i.e. ifconfig could have been hacked). clues? randy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E19wavc-000LTN-VI>