[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Ports advice...
From:       "Jett Tayer" <jett () sycorax ! ath ! cx>
Date:       2003-01-31 5:49:22
[Download RAW message or body]

are you running aol client or something?


----- Original Message -----
From: "tom" <tmarinis99@netscape.net>
To: <misc@openbsd.org>
Sent: Thursday, January 30, 2003 9:44 AM
Subject: Ports advice...


> Greets List;  Forgive my ignorance.
>
>
> I'm getting some really weird port probes here on my
> home-made firewall lately.  I'm stumped because I'm
> unaware of what exactly my attacker is looking for.
>
>
> I've seen a sudden bump of traffic consistently probing
> random unassigned port locations before, so I am wondering
> if there is a new vunerability out there, or if this is a
> simple nmap probe, or more likely someone with a misconfigured
> service?
>
>
> The ports numbers being consistently attacked are;
>
> 1101, 3059, 16692, 22954, 29169, 38891, 60380, 62353.
>
>
> Under http://www.iana.org/assignments/port-numbers
> for the list date of Jan 17th 2003 I have read that the
> ports are listed in this manner;
>
> 1101 is listed as a PT2-DISCOVER.
> [ I don't have a clue as to what this service is at all ]
>
> 3509 is listed as qsoft ( I'm guessing a misconfigured
> server/game/product/software which I'm assuming is manufactured
> by qsoft, I'm not going to worry about this one ).
>
> but 16692, 22954, 29169, 38891, 60380 are listed as unassigned.
> [ WTF ???? ]
>
> The IP's attacking me are 64.12.137.1-56 inclusive.  I'm wondering
> now if they are not spoofed or not.
>
> Searching ARIN, the whois gave me 64.12.X.X  AOL as the owner.
>
> The attacks start on a regular basis, from 10:00am PST
> until 1:00pm PST, then starts again at 8:00pm to 3-4 am.
>
> They've started last month, the 22nd December,
> just before Christmas 2002.  They last for a few hours.
>
> Looking over some CERT alerts, and nothing listed that
> I read so far is reaches the above mentioned ports.
>
> Has anyone else seen attacks on these ports anywhere
> lately, or is there some new service that I should be
> aware of that I haven't locked down.
>
> ===
>
> The firewall I'm running is a simple border type, a
> Intel Pentium 586, 48 megs ram, 2 NICS, and a wee
> 3 GB hard drive, install date August 27th 2001.
>
> I run a DHCP client to obtain a IP from ISP on one NIC,
> and a DHCP server for the clients for internet
> connectivity on the second NIC, and no other services
> provided.
>
> The firewall has the local sendmail, but no ssh,
> no serial comm software like tip [ removed ],
> there is no X [period, libs removed], no ppp [removed],
> no http services [ removed ].
>
> I have also removed the gcc compiler amoung other things, as
> well as ftp, lynx, most of the bin utils, almost
> everything, except the packet filter, nmap, and tripwire.
>
> No holes in firewall to the internet for connections made
> to the internal services of the network.
>
> The clients use the firewall for simple web browsing and
> ftp services, period.  There are no http services running
> inside the network.
>
> E-Mail is provided to me via smtp OUTSIDE my network, which
> the firewall sends a reset upon sending a identd inquiry.
> Or I use netscape mail sometimes, like I'm doing now.
>
> Everything else is either blocked, logged, and then dropped.
>
>
> Sample log;
>
> Jan 29 09:19:25.221984 REDDWARF              rl1 @0:82b
> 64.12.137.8,5006 -> 207.6.233.24,29169 PR udp len 20 78 IN
> Jan 29 09:19:25.888960 REDDWARF              rl1 @0:14b
> 64.12.137.5,64904 -> 207.6.233.24,22954 PR tcp 20 60 -S IN
>
> [ Goes on for several thousand lines for over a few minutes. ]
>
>
> Is there something I should be looking for in particular?
>
>
>
> ---tm---
> Linux Registration Number; 184093,
> http://counter.li.org
>
>
>
>
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now!
http://channels.netscape.com/ns/browsers/download.jsp
>
> Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/

[prev in list] [next in list] [prev in thread] [next in thread]