[TriLUG] I'm being scanned? What are they trying to do?

Daniel T. Chen crimsun at email.unc.edu
Mon Oct 15 12:19:03 EDT 2001 

On Sun, 14 Oct 2001, Sinner from the Prairy wrote:

> Oct  5 22:05:33 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=62.73.5.136 
> DST=65.80.201.58 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63121 PROTO=TCP SPT=22 
> DPT=22 WINDOW=40 RES=0x00 SYN URGP=0
> 
> Oct  7 00:25:23 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=134.226.1.29 
> DST=65.80.201.58 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=3795 PROTO=TCP SPT=22 
> DPT=22 WINDOW=11227 RES=0x00 SYN URGP=0

Without being paranoid (!!), probably probing for ssh/1
vulnerabilities. Yet another reason to specify explicitly ``Protocol 2''
in /etc/ssh/sshd_config (or wherever your distribution keeps its
sshd_config).

I use iptables to DROP all incoming packets to tcp/22 except from
individual IPs I trust.

> Oct 13 15:41:57 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=211.169.82.130 
> DST=65.80.203.36 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=17668 DF PROTO=TCP 
> SPT=4768 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0
> 
> Oct 13 20:28:14 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=200.207.209.210 
> DST=65.80.203.36 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=49474 DF PROTO=TCP 
> SPT=4504 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0

Again, probably probing for known portmap exploits that should have been
fixed if you keep current with your distro's updates. Since you're running
Mandrake 8.1, there's no need to worry about having a vulnerable
portmap...that was fixed long ago. Once again, use iptables to DROP
packets except from IPs you explicitly trust.

> Oct 14 17:14:26 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=192.118.7.166 
> DST=65.80.205.204 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=18863 DF PROTO=TCP 
> SPT=35915 DPT=21 WINDOW=4422 RES=0x00 SYN URGP=0
> 
> Oct 14 22:33:38 sal10000 kernel: auditIN=ppp0 OUT= MAC= SRC=211.185.195.1 
> DST=65.80.202.72 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=57516 DF PROTO=TCP 
> SPT=3282 DPT=21 WINDOW=32120 RES=0x00 SYN URGP=0

Hrm, probing for anonymous ftp, perhaps? Older ftpds with anon accounts
enabled had some path handling and format string vulnerabilities. All the
normal precautions apply...

> So, what's going on? 

I'd guess a normal run-of-the-mill selective port probing. If you DROP all
packets by default (and log), you'll probably see a ton of these messages
in /var/log/messages (or syslog). No big deal as long as you keep an eye
out for weirdness -- given that you already run ipchains/iptables and keep
your packages current, which I'd guess wouldn't be a problem since you're
running Mandrake 8.1.

> How can I learn by myself what are they trying to do?

Hrm, www.linuxsecurity.org is a good place to start. If you don't mind
slightly more mail, subscribe to BugTraq/Incidents (or simply check
www.securityfocus.com). There are also several good books (O'Reilly and
otherwise) to check out...there's an SSH one, a Linux/Hacking Exposed,
etc.

---
Dan Chen                 crimsun at email.unc.edu
GPG key: www.cs.unc.edu/~chenda/pubkey.gpg.asc

More information about the TriLUG mailing list