From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 22:20:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B49F216A4BF for ; Mon, 8 Sep 2003 22:20:41 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19EA43FEC for ; Mon, 8 Sep 2003 22:20:39 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19wavc-000LTN-VI for freebsd-security@freebsd.org; Mon, 08 Sep 2003 22:20:37 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Mon, 8 Sep 2003 22:20:36 -0700 To: freebsd-security@freebsd.org Message-Id: Subject: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 05:20:41 -0000 so i just found that one of my hosts is GENERATING these probe pairs, maybe every minute or two (note the sequence numbers): seq my host victim(s) --- ---------------- --------------- 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 40) 192.168.0.2:1125 <--> 216.52.3.4:2703 49) 192.168.0.2:1129 <--> 216.52.3.2:2703 50) 192.168.0.2:1130 <--> 216.52.3.4:2703 71) 192.168.0.2:1136 <--> 216.52.3.2:2703 72) 192.168.0.2:1137 <--> 216.52.3.4:2703 83) 192.168.0.2:1141 <--> 216.52.3.2:2703 84) 192.168.0.2:1142 <--> 216.52.3.4:2703 the host in the 1918 space is mine. the gap in the sequential scan is because those ports were otherwise occupied. a single probe looks like 21:30:32.310999 192.168.0.2.1141 > 216.52.3.2.2703: S 2059265893:2059265893(0) win 57344 (DF) 21:30:32.477021 216.52.3.2.2703 > 192.168.0.2.1141: S 1009079948:1009079948(0) ack 2059265894 win 5792 (DF) 21:30:32.477061 192.168.0.2.1141 > 216.52.3.2.2703: . ack 1 win 57920 (DF) 21:30:32.687121 216.52.3.2.2703 > 192.168.0.2.1141: P 1:36(35) ack 1 win 5792 (DF) 21:30:32.687728 192.168.0.2.1141 > 216.52.3.2.2703: P 1:13(12) ack 36 win 57920 (DF) 21:30:33.027105 216.52.3.2.2703 > 192.168.0.2.1141: . ack 13 win 5792 (DF) 21:30:33.028032 216.52.3.2.2703 > 192.168.0.2.1141: P 36:90(54) ack 13 win 5792 (DF) 21:30:33.028724 192.168.0.2.1141 > 216.52.3.2.2703: P 13:25(12) ack 90 win 57920 (DF) 21:30:33.187272 216.52.3.2.2703 > 192.168.0.2.1141: P 90:141(51) ack 25 win 5792 (DF) 21:30:33.196247 192.168.0.2.1141 > 216.52.3.2.2703: P 25:30(5) ack 141 win 57920 (DF) 21:30:33.427044 216.52.3.2.2703 > 192.168.0.2.1141: R 141:141(0) ack 30 win 5792 (DF) iana says port 2703 is sms-chat. google for "sms-chat protocol" produces two hacker texts in deutsch, which i tried to wade through but it was a lot of cryptic twisty passages. sms seems to be some sort of microsloth protocol. and, from samba-land docs "The version of netmon that ships with SMS allows for dumping packets between any two computers (i.e. placing the network interface in promiscuous mode)" now the host doing the probes o is the only one of my hosts doing it o is the only one of my hosts running samba, 2.2.8a no ports are in promiscuous mode, that i can see (i.e. ifconfig could have been hacked). clues? randy