'Re: [IPCop-user] Strange Traffic'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipcop-user
Subject:    Re: [IPCop-user] Strange Traffic
From:       Andy Green <ipcop () warmcat ! com>
Date:       2003-09-30 8:43:27
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 30 September 2003 04:12, Paul Rimmer wrote:
> Hi All,
> 
> I've lately began to see some strange traffic in my kernel and IDS
> logs.
> 
> (I've edited my IP's and MAC's)
> 
> From the Kernel log:
> 
> 17:58:29 kernel martian source MY_WEB_SERVER_IP from 127.0.0.1, on
> dev eth1 17:58:29 kernel ll header:
> IPCOP_RED_MAC_ADDR:ISP_GATEWAY_MAC_ADDR:08:00
> 
> From the Snort Logs:
> 
> Date: 09/29 17:58:29 Name: BAD TRAFFIC loopback traffic
> Priority: 2 Type: Potentially Bad Traffic
> IP info: 127.0.0.1:80 -> MY_WEB_SERVER_IP:1460
> References: none found SID: 528
> 
> I see lots of these trying to hit my 2 web servers that I have
> running. Hundreds of them every day.  The packets seem to pick
> random ports above 1024 and below 2000.  Any ideas?

Getting this in the firewall logs, but not in Snort but in my firewall 
logs.  The port pattern is as you describe (here are some from a 
single IP)

1316,1600,1760,1861,1357,1172,1820,1600,1760,1101,1861,1357,1172,1673,1643,1984,1295,1380,1253,1555,1819,1238,1998,1135,1182,1678,1438,1707
 1250,1931,1978,1474,1289,1545,1688,1448,1712,1789,1100,1356,1369,1625,1571,1983,1484,1244,1366,1018,1778,1635,1279,1249,1893,1262,1518,1906
 1162,1876,1431,1376,1632

Here is the firewall log for the first few

Sep 26 17:37:49 ipcop kernel: INPUT IN=eth1 OUT=
MAC=00:40:f4:66:fd:56:00:0a:42:69:f8:a8:08:00 SRC=81.107.157.196
DST=81.107.101.77 LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=2998 PROTO=TCP
SPT=1025 DPT=1316 WINDOW=0 RES=0x00 ACK RST URGP=113
Sep 26 18:50:24 ipcop kernel: INPUT IN=eth1 OUT=
MAC=00:40:f4:66:fd:56:00:0a:42:69:f8:a8:08:00 SRC=81.107.157.196
DST=81.107.101.77 LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=10791
PROTO=TCP SPT=1025 DPT=1600 WINDOW=0 RES=0x00 ACK RST URGP=0
Sep 26 19:36:32 ipcop kernel: INPUT IN=eth1 OUT=
MAC=00:40:f4:66:fd:56:00:0a:42:69:f8:a8:08:00 SRC=81.107.157.196
DST=81.107.101.77 LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=884 PROTO=TCP
SPT=1025 DPT=1760 WINDOW=0 RES=0x00 ACK RST URGP=0
Sep 26 19:47:22 ipcop kernel: INPUT IN=eth1 OUT=
MAC=00:40:f4:66:fd:56:00:0a:42:69:f8:a8:08:00 SRC=81.107.157.196
DST=81.107.101.77 LEN=40 TOS=0x00 PREC=0x00 TTL=121 ID=48570
PROTO=TCP SPT=1025 DPT=1861 WINDOW=0 RES=0x00 ACK RST URGP=0

Since the source is also on NTL I sent an email to abuse@ntlworld.com 
asking them to inform the guy he is infected with something.  The 
source port is always 1025 even tho the guy turns his machine off 
overnight (as seen from the attacks resuming in the morning) on 
reboot its still 1025 next time, so it must be starting itself up on 
boot.

If NTL are dropping the "martian" packets, maybe if you look in your 
logs you'll see similar noise.

- -Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/eUIwjKeDCxMJCTIRAgGLAJ9R/IvLmNnjHGe56nfv6mdT5wmLbwCeMOyj
SQ+a9IKQwGV9RzOTXWpslZs=
=Tlgq
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
IPCop-user mailing list
IPCop-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-user


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic