-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday afternoon I saw apparently-coordinated scans which absolutely confuse me. I'd appreciate hearing from anyone who has seen anything similar or who has a likely explanation. First, I have my main machine which has Linux with an ipchains firewall. On the same subnet I have a linux box with a non-recent Snort IDS configuration monitoring the subnet. The logs below show: 1) My ipchains logs showing several of *our* machines from diverse subnets making from 1 to 6 connection attempts to *my* personal machine, the first at 15:18, then a bunch from 16:29 to 16:31:50. All but the first have source port tcp/6667 to various destination ports. 2) Snort logs revealing a scan by an external IP of many machines on my subnet, source and destination ports tcp/6667, lasting from 16:31:46 to 16:31:47. Obfuscated logs follow. En paz, Steve, security analyst MY MAIN MACHINE, /var/log/messages: Feb 25 15:18:05 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetC.num.5:1029 UP.subnetE.my.machine:2665 L=40 S=0x00 I=23024 F=0x4000 T=58 (#69) Feb 25 16:29:23 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetB.num.4:6667 UP.subnetE.my.machine:4364 L=40 S=0x00 I=21327 F=0x4000 T=126 (#69) Feb 25 16:29:37 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1661 F=0x4000 T=126 (#69) Feb 25 16:29:40 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1663 F=0x4000 T=126 (#69) Feb 25 16:29:46 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1665 F=0x4000 T=126 (#69) Feb 25 16:29:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1670 F=0x4000 T=126 (#69) Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=20537 F=0x4000 T=125 (#69) Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=841 F=0x4000 T=125 (#69) Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34406 F=0x4000 T=125 (#69) Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=1353 F=0x4000 T=125 (#69) Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21049 F=0x4000 T=125 (#69) Feb 25 16:30:12 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34453 F=0x4000 T=125 (#69) Feb 25 16:30:17 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=2121 F=0x4000 T=125 (#69) Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21305 F=0x4000 T=125 (#69) Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34548 F=0x4000 T=125 (#69) Feb 25 16:30:22 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2078 F=0x4000 T=126 (#69) Feb 25 16:30:29 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=6985 F=0x4000 T=125 (#69) Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=22329 F=0x4000 T=125 (#69) Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34737 F=0x4000 T=125 (#69) Feb 25 16:30:53 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=16201 F=0x4000 T=125 (#69) Feb 25 16:30:57 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=23097 F=0x4000 T=125 (#69) Feb 25 16:30:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=35364 F=0x4000 T=125 (#69) Feb 25 16:31:10 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2088 F=0x4000 T=126 (#69) Feb 25 16:31:42 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=27721 F=0x4000 T=125 (#69) Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=25913 F=0x4000 T=125 (#69) Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=37867 F=0x4000 T=125 (#69) SNORT IDS, /var/log/snort/portscan.log: Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.2:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.3:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.4:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.5:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.6:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.7:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.8:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.9:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.my.IDS:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.10:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.11:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.12:6667 SYN ******S* Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.13:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.14:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.15:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.16:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.17:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.18:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.19:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.20:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.21:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.22:6667 SYN ******S* Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.23:6667 SYN ******S* SNORT IDS, entry from /var/log/secure: Feb 25 16:31:46 ids-box kernel: Packet log: input DENY eth0 PROTO=6 intruderIP:6667 UP.subnetE.my.IDS:6667 L=40 S=0x00 I=44823 F=0x0000 T=107 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPHuqlc3oSRS59y8HEQIXpQCfaVML7kQhcdcOvqHOuWxWsSP91X0An0rm x4d752nlavPkbvA/cfciLrg6 =lgnB -----END PGP SIGNATURE----- -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompsonat_private URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use securityat_private, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 11:49:44 PST