What are these?

Kevin Creason

11 Feb 2001 11 Feb '01

04:45

I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or listening on those ports. Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51) What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6 And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?

Attachments:

attachment.htm (text/html — 1.7 KB)

Show replies by date

Boris Lorenz

12 Feb 12 Feb

11:37

New subject: [suse-security] What are these?

On 11-Feb-01 Kevin Creason wrote:

...

I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or listening on those ports.

Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51)

What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6

And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?

Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven Apocalypse and Tiles. Refer to www.simovits.com for a list of well known trojans and their preferred ports. As these are windows trojans your nodes may not be affected if they all run Linux/Unix, but you would be better off closing these and other ports by implementing decent firewalling, say via the SuSE firewall or some other useable scripts. --- Boris Lorenz System Security Admin *nix - *nux ---

Kevin Creason

23:22

New subject: [suse-security] What are these?

I AM using SuSEFirewal 4.2 on SuSE 6.4 I ran the install... and configured it using YaST. Is there a better way? While we're on the subject, YaST appears to have some problems displaying text and descriptions. I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY but apparently these scans are accepted before the new lines. I figured that those lines would break something for sure. What is the syntax to redirect a port-- like 80 to squid's incoming port? ----- Original Message ----- From: "Boris Lorenz" To: "Kevin Creason" Cc: "SuSE Security Mailingliste" Sent: Monday, February 12, 2001 5:37 AM Subject: RE: [suse-security] What are these?

...

On 11-Feb-01 Kevin Creason wrote:

...
I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently

using or

...

...
listening on those ports.

Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51)

What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6

And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?

Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven Apocalypse and Tiles. Refer to www.simovits.com for a list of well known trojans and their preferred ports.

As these are windows trojans your nodes may not be affected if they all run Linux/Unix, but you would be better off closing these and other ports by implementing decent firewalling, say via the SuSE firewall or some other useable scripts.

--- Boris Lorenz System Security Admin *nix - *nux ---

Boris Lorenz

13 Feb 13 Feb

10:20

New subject: [suse-security] What are these?

Hi Kevin, On 12-Feb-01 Kevin Creason wrote:

...

I AM using SuSEFirewal 4.2 on SuSE 6.4 I ran the install... and configured it using YaST. Is there a better way? While we're on the subject, YaST appears to have some problems displaying text and descriptions.

I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY but apparently these scans are accepted before the new lines. I figured that those lines would break something for sure.

After booting, do a ipchains -n -L and list all your rules. You may see some input/forward/output chains. If you want to experiment with an empty ipchains ruleset, do ipchains -F, which flushes (deletes) all rules. Then, to achieve a total block, you could do ipchains -P input DENY ipchains -P forward DENY ipchains -P output DENY Likewise, if you want to open up everything, replace DENY with ACCEPT. Also make sure your firewall scripts (SuSE or other) are properly set up. It's best to deny everything and then only let through what is needed (www, ftp, telnet, ssh, etc.).

...

What is the syntax to redirect a port-- like 80 to squid's incoming port?

try this for transparent proxying: ipchains -A input -p tcp -d 127.0.0.1/32 www -j ACCEPT ipchains -A input -p tcp -d your.ip.sub.net/24 www -j ACCEPT ipchains -A input -p tcp -d 0/0 www -j REDIRECT 3128 These lines redirect local and network traffic destined to www (80) to squid's port. Don't forget to include transparent proxying in your kernel. [...] --- Boris Lorenz System Security Admin *nix - *nux ---

Steffen Dettmer

10:50

New subject: [suse-security] What are these?

* Kevin Creason wrote on Mon, Feb 12, 2001 at 17:22 -0600:

...

I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY

That allows still a lot (all other IP protocols). Ports make no sense for ICMP. To drop anything you could use: /sbin/ipchains -A input -i ppp0 -l -j DENY But at least for ident/auth I would suggest to use REJECT to avoid long timeouts. You shouldn't block all IMCP types (at least some type 3 - dest unreach - should be allowed, at least if not fragmented).

...

but apparently these scans are accepted before the new lines. I figured that those lines would break something for sure.

If you're really paranoid you could use: /sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT to log allowed packets too, but you will get a lot of logs.

...

What is the syntax to redirect a port-- like 80 to squid's incoming port?

use rindetd or: from man ipasqadm: ipchains -I input -p tcp -y -d yours.com/32 80 -m 1 ipmasqadm mfw -I -m 1 -r hostA 80 (untested) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

Peter Wiersig

11:09

New subject: [suse-security] What are these?

Hi, not directly to what Steffen has written, but Steffen Dettmer:

...

* Kevin Creason wrote on Mon, Feb 12, 2001 at 17:22 -0600:

...
I even ran ipchains with these arguments: /sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY /sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY

If you 'A'ppend your rules to your ipchains, the short-circuiting will allow packet which matches any other rule with a lower ipchains number (ipchains -L -v --line-numbers) Try to 'I'nsert (rule number 1) them: (ipchains -I input 1 ...)

...

That allows still a lot (all other IP protocols). Ports make no sense for ICMP. To drop anything you could use:

/sbin/ipchains -A input -i ppp0 -l -j DENY

...

If you're really paranoid you could use: /sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT to log allowed packets too, but you will get a lot of logs.

Same as above. You will not see any logentries for accepted packets. Peter Wiersig

Steffen Dettmer

14 Feb 14 Feb

11:06

New subject: [suse-security] What are these?

* Peter Wiersig wrote on Tue, Feb 13, 2001 at 12:09 +0100:

...

If you 'A'ppend your rules to your ipchains, the short-circuiting will allow packet which matches any other rule with a lower ipchains number (ipchains -L -v --line-numbers)

Try to 'I'nsert (rule number 1) them: (ipchains -I input 1 ...)

Of course it's taken of context here. A setup script needs to remove unwanted entries of course. Insering rules from a script is not always the best, since the order is reversed by that.

...

...
/sbin/ipchains -A input $ALLOWED_OPTIONS -i ppp0 -l -j ACCEPT

Same as above. You will not see any logentries for accepted packets.

You mean: you will not see any logentries for packets accepted by a rule before that, ain't? Of course a rule does nothing if it get not hit :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

8482

Age (days ago)

8485

Last active (days ago)

List overview

Download

6 comments

4 participants

participants (4)

Boris Lorenz
Kevin Creason
Peter Wiersig
Steffen Dettmer

What are these?

Kevin Creason

Boris Lorenz

Kevin Creason

Boris Lorenz

Steffen Dettmer

Peter Wiersig

Steffen Dettmer

tags

participants (4)