From owner-freebsd-questions Wed Feb 13 4: 3:18 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail7.carolina.rr.com (fe7.southeast.rr.com [24.93.67.54]) by hub.freebsd.org (Postfix) with ESMTP id 11E9737B41A for ; Wed, 13 Feb 2002 04:03:00 -0800 (PST) Received: from snafu.enterit.com ([66.57.159.198]) by mail7.carolina.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Wed, 13 Feb 2002 00:58:23 -0500 Message-Id: <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com> X-Sender: jconner@enterit.com@mail.enterit.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 13 Feb 2002 01:22:25 -0500 To: "James Green" From: Jim Conner Subject: RE: Am I being hacked?! Strange connection attempts Cc: In-Reply-To: References: <20020212170133.3bf6d5c9.johann@broadpark.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 16:27 02.12.2002 +0000, James Green wrote: > > During the last few weeks (months?) I've been getting a few > > thousand of these into /var/log/messages: > > > > Feb 12 14:37:36 ninja ftpd[4697]: FTP LOGIN FAILED FROM > > mp-217-217-113.daxnet.no, johann > >Someone is trying to connect to your ftp service and is being denied >acceess. > > > And today, I've been getting about a few hundred of these > > (although all on different ports): > > > > Feb 12 14:56:16 ninja /kernel: Connection attempt to TCP > > 10.0.0.2:1433 from 61.153.3.67:2230 > >10.0.0.* is I think a private IP space for local LANs. Dunno about that. > > > Excactly what is going on? > >Well someone is probably portscanning your machine, finding interesting open >ports like ftp and attempting to connect to them. You can log this sort of >activity, check freshmeat.net for software and lots of sites for security >advice. Ok. Yup, James, you are right. 10.* is a private IP address block. Therefore, the fact that there is a connect attempt on port 1433 from a real IP address to an internal address could be hoakie if...*if* J.S. is NOT forwarding the ports or has this machine in his DMZ or something. If he has it blocked, however (or not in the DMZ) then this, to me, looks like someone is port-scanning and they are taking advantage of J.S.'s stateless firewall. They are probably using a a syn+ack scan or something. This kind of scan, IIRC, is capable of fooling the firewall into thinking that the inside host made a request to the outside world and therefore the fw happily passes the packets along. The victim machine should just send a tcp 'rst' (reset) when encountering these kinds of packets, since it didn't actually request anything from the attacker machine. This tcp 'rst' is what gives the attacker the knowledge that the victim is there and is listening on that port. If the port isn't open on the victim host the host simply doesn't answer. This is a very effective type of scan and is quite easy to manipulate using a tool like nmap. I believe I got that right (going from memory from my GIAC training). Oth, I could be totally off but at first glance and without doing a whole lot more of investigating, this would be my first guess. Anyone else? - Jim >James Green > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org - Jim Philosophy is for those who have nothing better to do than wonder why philosophy is for those who have nothing better to do than... mQGiBDxAonQRBACx+sz63XIeo5uTzc5n3Elf7Y13VVZGIM8Pilp3LpBu70/nGQPu anKYDB3aa1U5cfl+cTK5lOtUxN7Fu0a2Uv0ApIlC1qA8CjDZqlu7PDETFTVrpfGZ 007BHO+y2Y0bVsaMPXdnhbi0LAFSIkNYRhyzNWbAkeMsgA+i2k9hcnhvVwCgor7P nflXu7xWN9aWt3RJBzqdUR0EAK/1obJFUKQSK39cKTMPQ4u2UPflbS5dJ871naG5 xBAlQAjHAXT+f/fXE2ezrSyoQnlOD4kVbPN3gB5UT5mWoylPuf5W7WmupthVzUUN IsPDbmAT0YOwgALCfJVS+PrPCC8opmZhTjQBwgxCSY9MWULlzN3X2EEDqWIxluYb o5W/BACgHA+aFOO5F03QZBBScWn9YBS1ZH3sSlkQEK5RiwGXLmHJacOjn660SbOE MEKPDLDDJu/vt1fb3VRLc/fPB3aB7fi4XagfobaHbID9rx55slLhD94Q+5JuJSfg DyJ+vVSA1k+9/SynflPl0QY5zt0xSM+0CBg9mBg2bPyuGsDwXLQ5SmltIENvbm5l ciAoTmV3IEdQRyBLZXkgZm9yIFNuYWZ1WCkgPGpjb25uZXJAZW50ZXJpdC5jb20+ iFcEExECABcFAjxAonQFCwcKAwQDFQMCAxYCAQIXgAAKCRDmnFh04+r7ZdFiAKCh t8Vq7ZT6qvh9Dzn0lzZXRM4gywCfSLU/H5UHX7ZoxapfDs9pLxEEZeO5Ag0EPECj chAIAIsdwiPqW8IsumvpXu59qkfsi4H2nofxvbhMDiapEhgloydehNQOEiHwC/O1 a06PjUmNRLRdK88kjy99R84ILbWUJZUclQB2LcjlttnrIG/FzCMxoLTKOeOCJk8N ONswBdJdcf/XqbWJBTs/MXeNf4rmShYi6WJ5+jc1IE5PXGf4SR/9bz2r+/GESlrX tAoNtWl5a/NUxb6b0hR6zU9Y6oO1vpDDJNbcV9mafdYhsvoFYdD2c6JF+JoN+FHR tEP3k6leYwQ5P0kuUQNgWdWNWZfBq1tQDBfhg1/AV0JBzamyJfd0prFmtUEemKx4 haDsOoT4gLSPNTqSsyDt6TNLtGMAAwUIAINeot1FVpree5bvhy3xL+Pr1UGb++DM b8Qeer6ERkVQNx7YoU8hfpqOwvEQMyfb9s6HPfSWRUfQRF+g+9ohPgYkH+1nqH3V PtGSw1kgLOqxZQTVPEcAMhSflt9LSJETIQQByKKh1e5RvOuApwBFmQq3syRhzqv/ j2b6t3IqAB9WR5TnoYkdUtTWM9MGubiFl5B9uH5EHWAlFF8h760U7Xp9m1J3qTyH EJqjfGj2SP2DK5cisuWOWdPy5aSqT7ZKrcKeSTDUyiHclI1ygFHue8oO0HXqrs+k KjFdRqIKnzfY9gW/b/6gLHhBDV6BoA9w6+1Y9egOByRcVonE8zY/xMeIRgQYEQIA BgUCPECjcgAKCRDmnFh04+r7ZcyDAJ4ogYX7W4u8g+QJsksyL4Ld+dObCwCfU7hB 7I3ZgTsYwP6mr5RPjkH5PG8= =QOu8 -----END PGP PUBLIC KEY BLOCK----- __END__ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message