Scan combining internal/external

From: Stephen W. Thompson (thompsonat_private)
Date: Tue Feb 26 2002 - 07:34:53 PST

  • Next message: Ralph Los: "Wave of Nimda-like hits this morning?" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yesterday afternoon I saw apparently-coordinated scans which
absolutely confuse me.  I'd appreciate hearing from anyone who has
seen anything similar or who has a likely explanation.

First, I have my main machine which has Linux with an ipchains
firewall.  On the same subnet I have a linux box with a non-recent
Snort IDS configuration monitoring the subnet.

The logs below show:
 1) My ipchains logs showing several of *our* machines from diverse
    subnets making from 1 to 6 connection attempts to *my* personal
    machine, the first at 15:18, then a bunch from 16:29 to 16:31:50.
    All but the first have source port tcp/6667 to various destination
    ports.
 2) Snort logs revealing a scan by an external IP of many machines on
    my subnet, source and destination ports tcp/6667, lasting from
    16:31:46 to 16:31:47.

Obfuscated logs follow.

En paz,
Steve, security analyst

MY MAIN MACHINE, /var/log/messages:

Feb 25 15:18:05 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetC.num.5:1029 UP.subnetE.my.machine:2665 L=40 S=0x00 I=23024 F=0x4000 T=58 (#69)
Feb 25 16:29:23 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetB.num.4:6667 UP.subnetE.my.machine:4364 L=40 S=0x00 I=21327 F=0x4000 T=126 (#69)
Feb 25 16:29:37 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1661 F=0x4000 T=126 (#69)
Feb 25 16:29:40 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1663 F=0x4000 T=126 (#69)
Feb 25 16:29:46 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1665 F=0x4000 T=126 (#69)
Feb 25 16:29:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=1670 F=0x4000 T=126 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=20537 F=0x4000 T=125 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=841 F=0x4000 T=125 (#69)
Feb 25 16:30:08 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34406 F=0x4000 T=125 (#69)
Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=1353 F=0x4000 T=125 (#69)
Feb 25 16:30:11 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21049 F=0x4000 T=125 (#69)
Feb 25 16:30:12 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34453 F=0x4000 T=125 (#69)
Feb 25 16:30:17 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=2121 F=0x4000 T=125 (#69)
Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=21305 F=0x4000 T=125 (#69)
Feb 25 16:30:18 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34548 F=0x4000 T=125 (#69)
Feb 25 16:30:22 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2078 F=0x4000 T=126 (#69)
Feb 25 16:30:29 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=6985 F=0x4000 T=125 (#69)
Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=22329 F=0x4000 T=125 (#69)
Feb 25 16:30:31 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=34737 F=0x4000 T=125 (#69)
Feb 25 16:30:53 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=16201 F=0x4000 T=125 (#69)
Feb 25 16:30:57 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=23097 F=0x4000 T=125 (#69)
Feb 25 16:30:58 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=35364 F=0x4000 T=125 (#69)
Feb 25 16:31:10 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetD.num.6:6667 UP.subnetE.my.machine:3260 L=40 S=0x00 I=2088 F=0x4000 T=126 (#69)
Feb 25 16:31:42 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.1:6667 UP.subnetE.my.machine:1455 L=40 S=0x00 I=27721 F=0x4000 T=125 (#69)
Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.2:6667 UP.subnetE.my.machine:2418 L=40 S=0x00 I=25913 F=0x4000 T=125 (#69)
Feb 25 16:31:50 mymain kernel: Packet log: input DENY eth0 PROTO=6 UP.subnetA.num.3:6667 UP.subnetE.my.machine:2335 L=40 S=0x00 I=37867 F=0x4000 T=125 (#69)

SNORT IDS, /var/log/snort/portscan.log:

Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.2:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.3:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.4:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.5:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.6:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.7:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.8:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.9:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.my.IDS:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.10:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.11:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.12:6667 SYN ******S* 
Feb 25 16:31:46 intruderIP:6667 -> UP.subnetE.0.13:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.14:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.15:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.16:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.17:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.18:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.19:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.20:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.21:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.22:6667 SYN ******S* 
Feb 25 16:31:47 intruderIP:6667 -> UP.subnetE.0.23:6667 SYN ******S* 


SNORT IDS, entry from /var/log/secure:

Feb 25 16:31:46 ids-box kernel: Packet log: input DENY eth0 PROTO=6 intruderIP:6667 UP.subnetE.my.IDS:6667 L=40 S=0x00 I=44823 F=0x0000 T=107 



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPHuqlc3oSRS59y8HEQIXpQCfaVML7kQhcdcOvqHOuWxWsSP91X0An0rm
x4d752nlavPkbvA/cfciLrg6
=lgnB
-----END PGP SIGNATURE-----


-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompsonat_private    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use securityat_private, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 11:49:44 PST