Joerg Weber wrote:
>
> Hello everyone,
>
> my FW-Logs went insane last night with gazillions of connection attempts to
> port 10008.
> FW-1 does unfortunately not log dropped packets, so I've no idea about flags
> et al, but the scan looks like this:
> SourcePort = Increases with each scan
> DestPort = 10008
>
> This looks like an automated tool to me, as the whole scan took about a
> second or two.
> Any ideas?
No ideas other than likely looking for already exploited machines. I've
seen 10008 scans before.
These three scan sets came in yesterday. Times are -500/US Central.
Note: different scanning hosts but otherwise the same. Tcpdump info
follows.
May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3894 208.42.22.16:10008 L=60 S=0x00 I=50210 F=0x4000 T=48
May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3895 208.42.22.17:10008 L=60 S=0x00 I=50211 F=0x4000 T=48
May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3897 208.42.22.19:10008 L=60 S=0x00 I=50213 F=0x4000 T=48
May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3894 208.42.22.16:10008 L=60 S=0x00 I=50605 F=0x4000 T=48
May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3895 208.42.22.17:10008 L=60 S=0x00 I=50606 F=0x4000 T=48
May 14 11:04:00 gateway kernel: Packet log: input DENY eth0 PROTO=6
216.36.78.235:3897 208.42.22.19:10008 L=60 S=0x00 I=50608 F=0x4000 T=48
May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2937 208.42.22.16:10008 L=60 S=0x00 I=60931 F=0x4000 T=50
May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2938 208.42.22.17:10008 L=60 S=0x00 I=60932 F=0x4000 T=50
May 14 16:06:16 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2940 208.42.22.19:10008 L=60 S=0x00 I=60934 F=0x4000 T=50
May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2937 208.42.22.16:10008 L=60 S=0x00 I=61118 F=0x4000 T=50
May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2938 208.42.22.17:10008 L=60 S=0x00 I=61119 F=0x4000 T=50
May 14 16:06:20 gateway kernel: Packet log: input DENY eth0 PROTO=6
217.0.224.200:2940 208.42.22.19:10008 L=60 S=0x00 I=61121 F=0x4000 T=50
May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3011 208.42.22.16:10008 L=60 S=0x00 I=60689 F=0x4000 T=48
May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3012 208.42.22.17:10008 L=60 S=0x00 I=60690 F=0x4000 T=48
May 14 16:54:25 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3014 208.42.22.19:10008 L=60 S=0x00 I=60692 F=0x4000 T=48
May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3011 208.42.22.16:10008 L=60 S=0x00 I=60871 F=0x4000 T=48
May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3012 208.42.22.17:10008 L=60 S=0x00 I=60872 F=0x4000 T=48
May 14 16:54:28 gateway kernel: Packet log: input DENY eth0 PROTO=6
210.208.240.2:3014 208.42.22.19:10008 L=60 S=0x00 I=60874 F=0x4000 T=48
File tcp.2001-05-14_11
11:03:57.720310 216.36.78.235.3894 > 208.42.22.16.10008: S
2646016419:2646016419(0) win 32120 <mss 1460,sackOK,timestamp 762060710
0,nop,wscale 0> (DF)
4500 003c c422 4000 3006 794f d824 4eeb
d02a 1610 0f36 2718 9db7 01a3 0000 0000
a002 7d78 9a89 0000 0204 05b4 0402 080a
2d6c 1fa6 0000 0000 0103 0300
11:03:57.721665 216.36.78.235.3895 > 208.42.22.17.10008: S
2646139096:2646139096(0) win 32120 <mss 1460,sackOK,timestamp 762060710
0,nop,wscale 0> (DF)
4500 003c c423 4000 3006 794d d824 4eeb
d02a 1611 0f37 2718 9db8 e0d8 0000 0000
a002 7d78 bb50 0000 0204 05b4 0402 080a
2d6c 1fa6 0000 0000 0103 0300
11:03:57.725081 216.36.78.235.3897 > 208.42.22.19.10008: S
2655769124:2655769124(0) win 32120 <mss 1460,sackOK,timestamp 762060710
0,nop,wscale 0> (DF)
4500 003c c425 4000 3006 7949 d824 4eeb
d02a 1613 0f39 2718 9e4b d224 0000 0000
a002 7d78 c96d 0000 0204 05b4 0402 080a
2d6c 1fa6 0000 0000 0103 0300
11:04:00.712215 216.36.78.235.3894 > 208.42.22.16.10008: S
2646016419:2646016419(0) win 32120 <mss 1460,sackOK,timestamp 762061010
0,nop,wscale 0> (DF)
4500 003c c5ad 4000 3006 77c4 d824 4eeb
d02a 1610 0f36 2718 9db7 01a3 0000 0000
a002 7d78 995d 0000 0204 05b4 0402 080a
2d6c 20d2 0000 0000 0103 0300
11:04:00.713570 216.36.78.235.3895 > 208.42.22.17.10008: S
2646139096:2646139096(0) win 32120 <mss 1460,sackOK,timestamp 762061010
0,nop,wscale 0> (DF)
4500 003c c5ae 4000 3006 77c2 d824 4eeb
d02a 1611 0f37 2718 9db8 e0d8 0000 0000
a002 7d78 ba24 0000 0204 05b4 0402 080a
2d6c 20d2 0000 0000 0103 0300
11:04:00.716358 216.36.78.235.3897 > 208.42.22.19.10008: S
2655769124:2655769124(0) win 32120 <mss 1460,sackOK,timestamp 762061010
0,nop,wscale 0> (DF)
4500 003c c5b0 4000 3006 77be d824 4eeb
d02a 1613 0f39 2718 9e4b d224 0000 0000
a002 7d78 c841 0000 0204 05b4 0402 080a
2d6c 20d2 0000 0000 0103 0300
File tcp.2001-05-14_16
16:06:16.938028 217.0.224.200.2937 > 208.42.22.16.10008: S
300290299:300290299(0) win 31900 <mss 1450,sackOK,timestamp 47186197
0,nop,wscale 0> (DF)
4500 003c ee03 4000 3206 bab4 d900 e0c8
d02a 1610 0b79 2718 11e6 10fb 0000 0000
a002 7c9c d219 0000 0204 05aa 0402 080a
02d0 0115 0000 0000 0103 0300
16:06:16.939376 217.0.224.200.2938 > 208.42.22.17.10008: S
298340939:298340939(0) win 31900 <mss 1450,sackOK,timestamp 47186197
0,nop,wscale 0> (DF)
4500 003c ee04 4000 3206 bab2 d900 e0c8
d02a 1611 0b7a 2718 11c8 524b 0000 0000
a002 7c9c 90e5 0000 0204 05aa 0402 080a
02d0 0115 0000 0000 0103 0300
16:06:16.956082 217.0.224.200.2940 > 208.42.22.19.10008: S
296964866:296964866(0) win 31900 <mss 1450,sackOK,timestamp 47186197
0,nop,wscale 0> (DF)
4500 003c ee06 4000 3206 baae d900 e0c8
d02a 1613 0b7c 2718 11b3 5302 0000 0000
a002 7c9c 903f 0000 0204 05aa 0402 080a
02d0 0115 0000 0000 0103 0300
16:06:20.263842 217.0.224.200.2937 > 208.42.22.16.10008: S
300290299:300290299(0) win 31900 <mss 1450,sackOK,timestamp 47186497
0,nop,wscale 0> (DF)
4500 003c eebe 4000 3206 b9f9 d900 e0c8
d02a 1610 0b79 2718 11e6 10fb 0000 0000
a002 7c9c d0ed 0000 0204 05aa 0402 080a
02d0 0241 0000 0000 0103 0300
16:06:20.265192 217.0.224.200.2938 > 208.42.22.17.10008: S
298340939:298340939(0) win 31900 <mss 1450,sackOK,timestamp 47186497
0,nop,wscale 0> (DF)
4500 003c eebf 4000 3206 b9f7 d900 e0c8
d02a 1611 0b7a 2718 11c8 524b 0000 0000
a002 7c9c 8fb9 0000 0204 05aa 0402 080a
02d0 0241 0000 0000 0103 0300
16:06:20.281198 217.0.224.200.2940 > 208.42.22.19.10008: S
296964866:296964866(0) win 31900 <mss 1450,sackOK,timestamp 47186497
0,nop,wscale 0> (DF)
4500 003c eec1 4000 3206 b9f3 d900 e0c8
d02a 1613 0b7c 2718 11b3 5302 0000 0000
a002 7c9c 8f13 0000 0204 05aa 0402 080a
02d0 0241 0000 0000 0103 0300
16:54:25.170824 210.208.240.2.3011 > 208.42.22.16.10008: S
3606915073:3606915073(0) win 32120 <mss 1460,sackOK,timestamp 456887999
0,nop,wscale 0> (DF)
4500 003c ed11 4000 3006 b49c d2d0 f002
d02a 1610 0bc3 2718 d6fd 2801 0000 0000
a002 7d78 45ac 0000 0204 05b4 0402 080a
1b3b 8ebf 0000 0000 0103 0300
16:54:25.174139 210.208.240.2.3012 > 208.42.22.17.10008: S
3609501232:3609501232(0) win 32120 <mss 1460,sackOK,timestamp 456887999
0,nop,wscale 0> (DF)
4500 003c ed12 4000 3006 b49a d2d0 f002
d02a 1611 0bc4 2718 d724 9e30 0000 0000
a002 7d78 cf53 0000 0204 05b4 0402 080a
1b3b 8ebf 0000 0000 0103 0300
16:54:25.178268 210.208.240.2.3014 > 208.42.22.19.10008: S
3610836087:3610836087(0) win 32120 <mss 1460,sackOK,timestamp 456887999
0,nop,wscale 0> (DF)
4500 003c ed14 4000 3006 b496 d2d0 f002
d02a 1613 0bc6 2718 d738 fc77 0000 0000
a002 7d78 70f4 0000 0204 05b4 0402 080a
1b3b 8ebf 0000 0000 0103 0300
16:54:28.164009 210.208.240.2.3011 > 208.42.22.16.10008: S
3606915073:3606915073(0) win 32120 <mss 1460,sackOK,timestamp 456888299
0,nop,wscale 0> (DF)
4500 003c edc7 4000 3006 b3e6 d2d0 f002
d02a 1610 0bc3 2718 d6fd 2801 0000 0000
a002 7d78 4480 0000 0204 05b4 0402 080a
1b3b 8feb 0000 0000 0103 0300
16:54:28.167363 210.208.240.2.3012 > 208.42.22.17.10008: S
3609501232:3609501232(0) win 32120 <mss 1460,sackOK,timestamp 456888299
0,nop,wscale 0> (DF)
4500 003c edc8 4000 3006 b3e4 d2d0 f002
d02a 1611 0bc4 2718 d724 9e30 0000 0000
a002 7d78 ce27 0000 0204 05b4 0402 080a
1b3b 8feb 0000 0000 0103 0300
16:54:28.172085 210.208.240.2.3014 > 208.42.22.19.10008: S
3610836087:3610836087(0) win 32120 <mss 1460,sackOK,timestamp 456888299
0,nop,wscale 0> (DF)
4500 003c edca 4000 3006 b3e0 d2d0 f002
d02a 1613 0bc6 2718 d738 fc77 0000 0000
a002 7d78 6fc8 0000 0204 05b4 0402 080a
1b3b 8feb 0000 0000 0103 0300
--
| Bryan Andersen | bryanat_private | http://www.nerdvest.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 10:55:14 PDT