Re: question on SYN_SENT
On May 11, 2012, at 6:06 PM, Robert Bonomi wrote: > > 'Should not' does not mean 'is not'. and unfortunately, it -is- attempting > to "go out". > > There are at least a couple of possible explanations, none of them "good". > 1) the jail is attempting a DoS (or participating in DDoS) against an > Israeli _government_ network/machine. > 2) the jail is 'owned' by a botnet, and is trying to 'phone home' for > instructions. Sorry for the delay in response. Did not mean to ignore this. Was busy figuring out and correcting this (and then the other normal day to day stuff that comes up). Yes, it looks like a customer's JBOSS installation had been hacked. It was running in its own jail with RO mounting of /usr (except /usr/local) and /bin /sbin and other system directories. It was basically scanning for more open JBOSS stuff. The attack had just barely happened (the server had just been installed). I disabled the JBOSS and cleaned everything up and scanned the jail for problem files etc. Customer fixed the JBOSS vulnerability (well known one) and decided to leave it off for now. Thanks for all the help on this Chad -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: question on SYN_SENT
> From owner-freebsd-questi...@freebsd.org Fri May 11 17:19:29 2012 > From: "Chad Leigh Shire.Net LLC" > Date: Fri, 11 May 2012 16:15:48 -0600 > To: Chuck Swiger > Cc: FreeBSD Mailing List > Subject: Re: question on SYN_SENT > > > On May 11, 2012, at 4:08 PM, Chuck Swiger wrote: > > > On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote: > >> it is my understanding that SYN_SENT is when MY SIDE sends out a reques > >> t and is awaiting a reply? > > > > That's right. > > > >> One of the jails we run for a customer had hundreds (if not thousands) o > >> f attempts to connect from the 147. address you see below. Correction. As Chuck pointed out it is your box attempting to connect *TO* that address. > >> It was exha > >> usting resources so that new tcp connections could not be made until som > >> e closed. > > > > You have/had your jail opening connections to the webserver at IP 147.237 > > .76.155, not that IP trying to connect to you. > > > >> I added that address to a "pf" block statement to stop it but now we get > >> a rolling connections in a "netstat -a" as show below (host. being a ge > >> neric name used in place of actual host on our side). I am wondering i > >> f this shows something on our side trying to connect out? That is what > >> it appears to me to be, which does not make sense. > >> > >> > >> tcp4 0 0 host.52562 147.237.76.155.httpSYN_SENT > >> tcp4 0 0 host.52561 147.237.76.155.httpSYN_SENT > > > > Yes, your side is trying to connect out. > > Unless you know better, it seems reasonable to gather that it's doing a D > > oS attack against: > > Hi Chuck! > > Thanks. I am investigating as this side should not be going out at all, bu > t the SYN_SENT made me think it was. > 'Should not' does not mean 'is not'. and unfortunately, it -is- attempting to "go out". There are at least a couple of possible explanations, none of them "good". 1) the jail is attempting a DoS (or participating in DDoS) against an Israeli _government_ network/machine. 2) the jail is 'owned' by a botnet, and is trying to 'phone home' for instructions. The webserver on the IP address listed has -extremely- 'suspicious' content, to wit; html> body> script> document.cookie='fff=ee0333b9fff_ee0333b9; path=/'; window.location.href=window.location.href; /script> /body> /html> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: question on SYN_SENT
On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
> it is my understanding that SYN_SENT is when MY SIDE sends out a request and
> is awaiting a reply?
That's right.
> One of the jails we run for a customer had hundreds (if not thousands) of
> attempts to connect from the 147. address you see below. It was exhausting
> resources so that new tcp connections could not be made until some closed.
You have/had your jail opening connections to the webserver at IP
147.237.76.155, not that IP trying to connect to you.
> I added that address to a "pf" block statement to stop it but now we get a
> rolling connections in a "netstat -a" as show below (host. being a generic
> name used in place of actual host on our side). I am wondering if this
> shows something on our side trying to connect out? That is what it appears
> to me to be, which does not make sense.
>
>
> tcp4 0 0 host.52562 147.237.76.155.httpSYN_SENT
> tcp4 0 0 host.52561 147.237.76.155.httpSYN_SENT
Yes, your side is trying to connect out.
Unless you know better, it seems reasonable to gather that it's doing a DoS
attack against:
% whois 147.237.76.155
[ ... ]
inetnum: 147.237.0.0 - 147.237.255.255
netname: IL-GOVT-NET
descr:Israeli Government Network
country: IL
admin-c: AT979-RIPE
tech-c: TT441-RIPE
status: ASSIGNED PI
mnt-by: GOV-IL-DNS
mnt-lower:GOV-IL-DNS
mnt-routes: AS8867-MNT { ANY }
mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 }
source: RIPE # Filtered
person: Admin Tehila
address:Israel Ministry Of Finance
address:1 Netanel Lorech st
address:Jerusalem Israel
phone: +972 2 6664666
fax-no: +972 2 6664650
remarks:For ABUSE and security issues please contact
remarks:email: ab...@tehila.gov.il
remarks:or contact CERT.gov.il at rep...@cert.gov.il
nic-hdl:AT979-RIPE
source: RIPE # Filtered
Regards,
--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: question on SYN_SENT
On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:
> On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
>> it is my understanding that SYN_SENT is when MY SIDE sends out a request and
>> is awaiting a reply?
>
> That's right.
>
>> One of the jails we run for a customer had hundreds (if not thousands) of
>> attempts to connect from the 147. address you see below. It was exhausting
>> resources so that new tcp connections could not be made until some closed.
>
> You have/had your jail opening connections to the webserver at IP
> 147.237.76.155, not that IP trying to connect to you.
>
>> I added that address to a "pf" block statement to stop it but now we get a
>> rolling connections in a "netstat -a" as show below (host. being a generic
>> name used in place of actual host on our side). I am wondering if this
>> shows something on our side trying to connect out? That is what it appears
>> to me to be, which does not make sense.
>>
>>
>> tcp4 0 0 host.52562 147.237.76.155.httpSYN_SENT
>> tcp4 0 0 host.52561 147.237.76.155.httpSYN_SENT
>
> Yes, your side is trying to connect out.
> Unless you know better, it seems reasonable to gather that it's doing a DoS
> attack against:
Hi Chuck!
Thanks. I am investigating as this side should not be going out at all, but
the SYN_SENT made me think it was.
Thanks
Chad
>
> % whois 147.237.76.155
> [ ... ]
> inetnum: 147.237.0.0 - 147.237.255.255
> netname: IL-GOVT-NET
> descr:Israeli Government Network
> country: IL
> admin-c: AT979-RIPE
> tech-c: TT441-RIPE
> status: ASSIGNED PI
> mnt-by: GOV-IL-DNS
> mnt-lower:GOV-IL-DNS
> mnt-routes: AS8867-MNT { ANY }
> mnt-routes: AS9116-MNT { 147.237.232.0/24^24-24 }
> source: RIPE # Filtered
>
> person: Admin Tehila
> address:Israel Ministry Of Finance
> address:1 Netanel Lorech st
> address:Jerusalem Israel
> phone: +972 2 6664666
> fax-no: +972 2 6664650
> remarks:For ABUSE and security issues please contact
> remarks:email: ab...@tehila.gov.il
> remarks:or contact CERT.gov.il at rep...@cert.gov.il
> nic-hdl:AT979-RIPE
> source: RIPE # Filtered
>
> Regards,
> --
> -Chuck
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
question on SYN_SENT
it is my understanding that SYN_SENT is when MY SIDE sends out a request and is awaiting a reply? One of the jails we run for a customer had hundreds (if not thousands) of attempts to connect from the 147. address you see below. It was exhausting resources so that new tcp connections could not be made until some closed. I added that address to a "pf" block statement to stop it but now we get a rolling connections in a "netstat -a" as show below (host. being a generic name used in place of actual host on our side). I am wondering if this shows something on our side trying to connect out? That is what it appears to me to be, which does not make sense. tcp4 0 0 host.52562 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52561 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52560 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52559 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52558 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52557 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52556 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52555 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52554 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52553 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52552 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52551 147.237.76.155.httpSYN_SENT tcp4 0 0 host.52550 147.237.76.155.httpSYN_SENT thanks Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
