'lo ..
Let me first explain my network situation,
I have a Digital Alpha "Multia" which i use as a router/firewall,
it has a cable-modem attached to eth0 and a pcmcia card to eth1 (for
internal net). On the multia i have ipfwadm running, with masquerading.
My cable company normally blocks all ports < 1024 to prevent customers from
running any servers. But i often open my port above 1024 just to give some
friends access to some local files. But i always close them, and keep the
normal ports (<1024) running because noone has access to them anyway.
When i woke up this morning and did my usual checks, i saw an anonymous FTP
logon comming from somewhere inside the cable-provider network. Because
this isn't supposed to happen (i close all port >1024 remember) I imediatly
did an "ifdown eth0" -just because i'm a security freak- and took a close
look into the situation.
I first checked to see if i didn't forget to close FTP on port 21000 but i
didn't (Unable to connect to remote host: Connection refused).
Then i checked my firewall logs, and did a sweep on the IP. Now here's the
strange thing:
I saw a whole bunch of these:
Feb 11 00:49:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1139
195.130.153.246:1121 L=48 S=0x00 I=6
157 F=0x0040 T=125
Feb 11 00:49:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1139
195.130.153.246:1121 L=48 S=0x00 I=7
181 F=0x0040 T=125
Every 4 packets the source port moved one up, but the destination port
changed from 1121 to 2121 and then back to 1121, and then after 15 minutes
of sending me these TCP packets:
Feb 11 01:06:50 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1231
195.130.153.246:21 L=48 S=0x00 I=456
04 F=0x0040 T=125
Feb 11 00:06:57 multia ftpd[9433]: ANONYMOUS FTP LOGIN FROM
duisburg-144-188.kabel.pandora.be [195.130.144.188
], [EMAIL PROTECTED]
Feb 11 01:40:14 multia kernel: IP fw-in acc eth0 TCP 195.130.144.188:1331
195.130.153.246:21 L=48 S=0x00 I=502
93 F=0x0040 T=125
Feb 11 00:40:16 multia ftpd[9446]: ANONYMOUS FTP LOGIN FROM
duisburg-144-188.kabel.pandora.be [195.130.144.188
], [EMAIL PROTECTED]
He was able to logon onto port 21 (blocked by cable provider) !
Could anyone please give me an explanation for this, and could someone tell
me what (legal) action i can take against him/her (i know i had anonymous
ftp on .. but port 21 should have been blocked)
Oh yeah, don't look at the timestamps in these logs, somehow i don't seem
to mannage to get them synchronised :)
Kind Regards,
and sorry for the big mail,
Dimitri Avgoustakis,
now trying to ifup eth0 again :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
