Hey Kids! Let's have some fun with kernel firewall logs shall we? Take November for example:
egrep -o "SPT=[0-9]{1,5}" 00.01.03-12.01.2013-messages | sort -n | uniq -c | sort -rn | head -n 20 898 SPT=6000 273 SPT=80 215 SPT=443 81 SPT=39401 59 SPT=53 48 SPT=16387 44 SPT=3074 41 SPT=21032 39 SPT=45682 36 SPT=5070 36 SPT=43295 36 SPT=36490 30 SPT=4935 27 SPT=33715 26 SPT=7778 25 SPT=5371 23 SPT=12212 21 SPT=8877 20 SPT=8458 20 SPT=5971 Now we can douche out 80 and 443 since these are most likely RST packets from web sites. So what's the deal with 6000? That my friends is China's scanning tool! How do we know? Cause we look at the DPT :) egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o "DPT=[0-9]{1,5}" | sort -n | uniq -c | sort -rn | head -n 20 309 DPT=1433 285 DPT=22 118 DPT=3306 87 DPT=3389 27 DPT=8080 13 DPT=80 12 DPT=4899 5 DPT=135 4 DPT=8009 4 DPT=1998 3 DPT=65500 3 DPT=5900 3 DPT=1521 2 DPT=8081 2 DPT=2967 2 DPT=1000 1 DPT=8888 1 DPT=888 1 DPT=8088 1 DPT=7777 Gee....MSSQL...SSH...MySQL...RDP...yea these are legit 8-|. So let's just look at the top few source IP's: egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o "SRC=.*DST" | sed -e 's/SRC=//' -e 's/ DST//' | sort -n | uniq -c | sort -rn | head -n 20 30 61.147.103.144 17 222.189.239.10 17 182.118.38.243 15 222.175.114.134 15 117.34.78.197 14 61.147.113.93 12 61.147.116.8 11 61.147.113.77 11 59.53.67.154 11 124.232.147.202 Well what do you know....EVERY SINGLE SWINGING one is from China :) Solutions? Block source port 6000 at the perimeter? Maybe..or maybe just monitor for a month and see how much legit traffic comes through on that port. That's all for now...enjoy.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/