is one of my hosts a scanner?
Randy Bush
randy at psg.com
Mon Sep 8 22:20:41 PDT 2003
so i just found that one of my hosts is GENERATING these probe
pairs, maybe every minute or two (note the sequence numbers):
seq my host victim(s)
--- ---------------- ---------------
24) 192.168.0.2:1121 <--> 216.52.3.2:2703
25) 192.168.0.2:1122 <--> 216.52.3.4:2703
39) 192.168.0.2:1124 <--> 216.52.3.2:2703
40) 192.168.0.2:1125 <--> 216.52.3.4:2703
49) 192.168.0.2:1129 <--> 216.52.3.2:2703
50) 192.168.0.2:1130 <--> 216.52.3.4:2703
71) 192.168.0.2:1136 <--> 216.52.3.2:2703
72) 192.168.0.2:1137 <--> 216.52.3.4:2703
83) 192.168.0.2:1141 <--> 216.52.3.2:2703
84) 192.168.0.2:1142 <--> 216.52.3.4:2703
the host in the 1918 space is mine. the gap in the sequential scan
is because those ports were otherwise occupied.
a single probe looks like
21:30:32.310999 192.168.0.2.1141 > 216.52.3.2.2703: S 2059265893:2059265893(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 54731668 0> (DF)
21:30:32.477021 216.52.3.2.2703 > 192.168.0.2.1141: S 1009079948:1009079948(0) ack 2059265894 win 5792 <mss 1460,nop,nop,timestamp 1121328035 54731668,nop,wscale 0> (DF)
21:30:32.477061 192.168.0.2.1141 > 216.52.3.2.2703: . ack 1 win 57920 <nop,nop,timestamp 54731685 1121328035> (DF)
21:30:32.687121 216.52.3.2.2703 > 192.168.0.2.1141: P 1:36(35) ack 1 win 5792 <nop,nop,timestamp 1121328056 54731685> (DF)
21:30:32.687728 192.168.0.2.1141 > 216.52.3.2.2703: P 1:13(12) ack 36 win 57920 <nop,nop,timestamp 54731706 1121328056> (DF)
21:30:33.027105 216.52.3.2.2703 > 192.168.0.2.1141: . ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF)
21:30:33.028032 216.52.3.2.2703 > 192.168.0.2.1141: P 36:90(54) ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF)
21:30:33.028724 192.168.0.2.1141 > 216.52.3.2.2703: P 13:25(12) ack 90 win 57920 <nop,nop,timestamp 54731740 1121328074> (DF)
21:30:33.187272 216.52.3.2.2703 > 192.168.0.2.1141: P 90:141(51) ack 25 win 5792 <nop,nop,timestamp 1121328108 54731740> (DF)
21:30:33.196247 192.168.0.2.1141 > 216.52.3.2.2703: P 25:30(5) ack 141 win 57920 <nop,nop,timestamp 54731757 1121328108> (DF)
21:30:33.427044 216.52.3.2.2703 > 192.168.0.2.1141: R 141:141(0) ack 30 win 5792 <nop,nop,timestamp 1121328130 54731757> (DF)
iana says port 2703 is sms-chat. google for "sms-chat protocol"
produces two hacker texts in deutsch, which i tried to wade through
but it was a lot of cryptic twisty passages.
sms seems to be some sort of microsloth protocol. and, from
samba-land docs
"The version of netmon that ships with SMS allows for dumping
packets between any two computers (i.e. placing the network
interface in promiscuous mode)"
now the host doing the probes
o is the only one of my hosts doing it
o is the only one of my hosts running samba, 2.2.8a
no ports are in promiscuous mode, that i can see (i.e. ifconfig
could have been hacked).
clues?
randy
More information about the freebsd-security
mailing list