Moe Trin wrote:
> On Sun, 08 Jan 2006, in the Usenet newsgroup comp.os.linux.security, in
> article <43c0af3d$0$9291$(E-Mail Removed)>, Jesus M. Salvo
> Jr. wrote:
>
> [Followups set - please don't multipost]
>
>>I have been seeing in my logs dropped packets for destination port 13851
>>for quite awhile now. I could not find anything about tcp port 13581
>>though.
>
> There is no requirement for any service to be restricted to one specific
> port number. Ports above 1024 are in 'user-land' meaning that any user
> can create a server there (as opposed to below 1025, which requires root
> permission). Further, I've yet to see any mal-ware author register their
> use of a port with IANA. Bottom line - port 13581 can be used by anyone
> for any reason.
>
>>The only thing that I can find about 13581 is this:
>>
>>ÂÂ* ÂÂ* ÂÂ* ÂÂ* http://fun-hack.de/jatter/dist/jatter_0012/main.cfg
>
> That seems to be an old 'chat' client.
>
>>What also worries me is that logwatch shows me the following dropped
>>packets ... all form China:
>
> The log is pretty much useless. There is no times - no source/destination
> port numbers - no indication what those packets may be (flags would be
> particularly interesting).
>
> That said, I notice that this is every host in the 211.93.109.128/27.
> Are you sure there is nothing on your system that is initiating the
> contact to this block? The Chinese whois server is also useless, and
> APNIC only identifies the /15 as China United Telecommunications Corp.
> Likewise, the Chinese haven't figured out how to configure a DNS server,
> and none of these addresses resolve to a name.
>
> Run a packet sniffer like tcpdump or ethereal, and capture several of
> these packets. Look to see what is inside.
>
> Old guy
Note that this log is from a gateway connected via ADSL with a static IP.
x.x.x.x here is our IP. Here are some of the dropped SYN packets that were logged:
Jan 6 16:50:28 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.147 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=52819 DF PROTO=TCP SPT=64034 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 16:50:31 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.147 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=52871 DF PROTO=TCP SPT=64034 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 17:17:11 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.155 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=46838 DF PROTO=TCP SPT=62657 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 17:43:46 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.130 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=40285 DF PROTO=TCP SPT=63510 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 17:43:49 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.130 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=40326 DF PROTO=TCP SPT=63510 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 18:10:42 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=34191 DF PROTO=TCP SPT=62456 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 18:10:51 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=34456 DF PROTO=TCP SPT=62456 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 18:37:35 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.152 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=28697 DF PROTO=TCP SPT=63476 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 18:37:38 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.152 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=28750 DF PROTO=TCP SPT=63476 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 18:37:44 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.152 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=28958 DF PROTO=TCP SPT=63476 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 19:04:27 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=22791 DF PROTO=TCP SPT=62684 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 19:31:28 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=16644 DF PROTO=TCP SPT=63468 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 19:31:31 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=16689 DF PROTO=TCP SPT=63468 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 19:31:37 gateway kernel: IN=ppp0 OUT= MAC= SRC=211.93.109.133 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=16894 DF PROTO=TCP SPT=63468 DPT=13581 WINDOW=65535 RES=0x00 SYN URGP=0
What I further noticed that iptables were dropping RST packets from the same set of source IPs ...
but to a different destination IP y.y.y.y. ( one that is not ours ) that is owned by another network:
Jan 6 14:27:34 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.159 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=63208 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 14:37:11 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.151 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=64145 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 16:56:21 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.136 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=63951 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 17:50:02 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.134 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=62876 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 18:00:38 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.150 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=63181 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 18:28:03 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.150 DST=y.y.y.y LEN=62 TOS=0x00 PREC=0x00 TTL=21 ID=0 DF PROTO=TCP SPT=63659 DPT=13581 WINDOW=15760 RES=0x00 ACK PSH RST URGP=0
Jan 6 18:29:32 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.150 DST=y.y.y.y LEN=62 TOS=0x00 PREC=0x00 TTL=21 ID=0 DF PROTO=TCP SPT=63659 DPT=13581 WINDOW=15760 RES=0x00 ACK PSH RST URGP=0
Jan 6 18:31:09 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.150 DST=y.y.y.y LEN=62 TOS=0x00 PREC=0x00 TTL=21 ID=0 DF PROTO=TCP SPT=63659 DPT=13581 WINDOW=15760 RES=0x00 ACK PSH RST URGP=0
Jan 6 18:51:58 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.140 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=63452 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 19:00:16 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.142 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=63924 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 19:22:47 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.157 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=62713 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Jan 6 19:48:36 gateway kernel: IN=ppp0 OUT=ppp0 SRC=211.93.109.147 DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=62869 DPT=13581 WINDOW=0 RES=0x00 RST URGP=0
Similar Threads
Linear Mode
