new scan pattern?
This is a discussion on new scan pattern? within the Linux Security forums, part of the System Security and Security Related category; For the past couple of days I've been seeing a surge in scans like the one below. Does anybody ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-16-2004
|
|||
|
|||
new scan pattern?
For the past couple of days I've been seeing a surge in scans like the one
below. Does anybody have any info on this? 24.11.3.148 3127 24.11.3.148 2745 24.11.3.148 80 24.11.3.148 6129 24.11.3.148 1025 24.11.3.148 3127 24.11.3.148 2745 24.11.3.148 80 24.11.3.148 6129 24.11.3.148 1025 24.11.3.148 80 24.11.3.148 6129 24.11.3.148 3127 24.11.3.148 1025 
|
|
09-16-2004
|
|||
|
|||
|
Re: new scan pattern?
On Thu, 16 Sep 2004 10:44:57 -0400, Amadeus W.M. wrote:
> For the past couple of days I've been seeing a surge in scans like the one > below. Does anybody have any info on this? You want trends and port info http://www.dshield.org/
|
|
09-16-2004
|
|||
|
|||
|
Re: new scan pattern?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Amadeus W.M. regaled us with the following: > For the past couple of days I've been seeing a surge in scans like the one > below. Does anybody have any info on this? > > 24.11.3.148 3127 > 24.11.3.148 2745 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 1025 > 24.11.3.148 3127 > 24.11.3.148 2745 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 1025 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 3127 > 24.11.3.148 1025 I have no good info on this but thought I might mention that the repetition of port numbers suggests "port knocking"... - -- Skorpion [skorpion at suespammers dot org] "Don't attribute to malice that which can be adequately explained by stupidity." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBShiVcTBCVvf50kkRAtqGAKCRktJf+AmHybAXvO5SNm BwU5ks2wCgwmiP Sz0asiwih6ILPm4lLdKDAJo= =NEr4 -----END PGP SIGNATURE-----
|
|
09-17-2004
|
|||
|
|||
|
Re: new scan pattern?
Skorpion wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Amadeus W.M. regaled us with the following: > > >>For the past couple of days I've been seeing a surge in scans like the one >>below. Does anybody have any info on this? >> >>24.11.3.148 3127 >>24.11.3.148 2745 >>24.11.3.148 80 >>24.11.3.148 6129 >>24.11.3.148 1025 >>24.11.3.148 3127 >>24.11.3.148 2745 >>24.11.3.148 80 >>24.11.3.148 6129 >>24.11.3.148 1025 >>24.11.3.148 80 >>24.11.3.148 6129 >>24.11.3.148 3127 >>24.11.3.148 1025 > > > I have no good info on this but thought I might mention that the repetition > of port numbers suggests "port knocking"... > Yes, looks like it. More info about portknocking can be found here. http://www.portknocking.org/
|
|
09-18-2004
|
|||
|
|||
|
Re: new scan pattern?
On Fri, 17 Sep 2004 09:27:31 +0200, ard wrote:
> Skorpion wrote: >> [quoted text muted] > > Yes, looks like it. More info about portknocking can be found here. > http://www.portknocking.org/ That's interesting, so that means I don't have to keep open my ssh port all the time, for the rare occasions when I have to access my home computer remotely. I could knock on my firewall. Cool!
|
|
09-18-2004
|
|||
|
|||
|
Re: new scan pattern?
On 2004-09-16, Amadeus W.M. <amadeus84@sbcglobal.net> wrote:
> For the past couple of days I've been seeing a surge in scans like the one > below. Does anybody have any info on this? > > 24.11.3.148 3127 > 24.11.3.148 2745 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 1025 > 24.11.3.148 3127 > 24.11.3.148 2745 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 1025 > 24.11.3.148 80 > 24.11.3.148 6129 > 24.11.3.148 3127 > 24.11.3.148 1025 Windows stuff. Phatbot/Agobot or one of it's relatives 3127 : mydoom backdoor- allows executable uploads to system, source code available 2745 : beagle backdoor- ftp backdoor (w/auth) allows uploads of exe to systems. Source code available 6129 : dameware exploit- probably the same thing, I belive shell is possible, source code published 1025 : I saw an exploit for this too, maybe uPnP? I forget this one though... 80 : niisdll.log, unicode, CodeRed 1/2 M$ IIS most vuln. httpd on the planet, shell, allows exe on system. Source code for this is all over. Also you'll see 445,139,9898,5554 in pairs. There's all ways to get code to execute on a Windows system, all widely known (accept the beagle/Bagle one, I just found the auth string for that recently). The port 3127 client (client.exe) source code comes in the source code dropped by one of the mydoom viruses, and cross-compiles fine with mingw32 on a linux system and will run under Wine as well.....so I've heard ;) Code for these comes as "scanners", as they are called, and compile to be included in the Bot that is doing this. When a new "scanner" comes out, a new version is made, and it can spread in that way as well. You can see this is the Agobot and Phatbot source code, C files for each port/exploit above. Many systems that you see probing like this, you can hit their port 113, auth. 9 out of 10 times it'll come back with a UNIX id and a random string of letters for the userid- Identd for IRC, since these are IRC controlled bots. There's ALOT of infected machines on my ISP's subnet that I'm on, and I see so much of this I don't even log it anymore, just drop the packets: # nc -v -n 218.190.73.211 113 (UNKNOWN) [218.190.73.211] 113 (auth) open : USERID : UNIX : qqfqddny If this was portknocking, you wouldn't see only ports with Windows exploits, you'd see others too. The machine is more than likely an infected Windows machine now probing you, trying to infect you as well (if you were running Windows). These things spread very quickly, and whole subnets become infect zombies of Windows machines. -- --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
|
|
09-21-2004
|
|||
|
|||
|
Re: new scan pattern?
In article <pan.2004.09.18.00.28.36.962443@sbcglobal.net>, Amadeus W.M. wrote:
> On Fri, 17 Sep 2004 09:27:31 +0200, ard wrote: > >> Skorpion wrote: >> Yes, looks like it. More info about portknocking can be found here. >> http://www.portknocking.org/ > > That's interesting, so that means I don't have to keep open my ssh port > all the time, for the rare occasions when I have to access my home > computer remotely. I could knock on my firewall. Cool! There are lots of different systems for doing that sort of thing: http://www.tldp.org/LDP/LGNET/issue99/ingles.html Note that most implementations of port knocking I've seen have been vulnerable to replay attacks; if someone's watching the network traffic, they can potentially capture the knock sequence and use it later. Some systems try to prevent this by permuting the sequence or including a variable payload. But there's a reliability issue. One thing not often noted about port knocking systems is that, to avoid waiting for TCP timeouts and such, they tend to use UDP... but the order of packets, and indeed their delivery at all, is *not* guaranteed for UDP. Congested routers frequently just drop UDP packets on the floor. So, the more complicated the knock sequence, the less reliable the system will be. But if that's the way you want to go... http://www.l0t3k.org/security/tools/portknocking/ -- Sincerely, Ray Ingles (313) 227-2317 "...those who scare peace-loving people with phantoms of lost liberty; my message is this: Your tactics only aid terrorists..." - John Ashcroft "John Ashcroft scares *me* with notions of lost liberties." - Me
|
|
09-30-2004
|
|||
|
|||
|
Re: new scan pattern?
Ray Ingles wrote:
> In article <pan.2004.09.18.00.28.36.962443@sbcglobal.net>, Amadeus W.M. wrote: > >>On Fri, 17 Sep 2004 09:27:31 +0200, ard wrote: >> >> >>>Skorpion wrote: >>>Yes, looks like it. More info about portknocking can be found here. >>>http://www.portknocking.org/ >> >>That's interesting, so that means I don't have to keep open my ssh port >>all the time, for the rare occasions when I have to access my home >>computer remotely. I could knock on my firewall. Cool! > .... > > Note that most implementations of port knocking I've seen have been > vulnerable to replay attacks; if someone's watching the network traffic, > they can potentially capture the knock sequence and use it later. Some > systems try to prevent this by permuting the sequence or including a > variable payload. > > But there's a reliability issue. One thing not often noted about port > knocking systems is that, to avoid waiting for TCP timeouts and such, > they tend to use UDP... but the order of packets, and indeed their > delivery at all, is *not* guaranteed for UDP. Congested routers > frequently just drop UDP packets on the floor. > > So, the more complicated the knock sequence, the less reliable the > system will be. ... Port knocking has been pretty thoroughly discredited. Two arguments convinced me to avoid it: - a sequence of ports is really just a sequence of integers, making it really just a key - but a key sent in the clear with no cryptographic motivation for its value. Better just to call a key a key, without the rococo fooferol involved in port knocking. - "security through obscurity" is ineffective against real, intentional attacks. It violates the basic precepts of security - namely that everything but the key should be public and transparent. At best, techniques of obfuscation like port knocking reduce one's security by conferring an unfounded confidence.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:03 AM.
