Re: [leaf-user] What's this guy trying?
Take a look at www.sans.org There is a blurb about ms sql servers that might be relevant. RWT Dale Mirenda wrote: on 10/14/02 3:09 PM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey Not Citrix: that's 1494... Dale Mirenda On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
On Mon, Oct 14, 2002 at 11:15:11PM -0700, Ray Olszewski wrote: O.K. full log entry: Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9) OK. It's what I guessed above ... an icmp host unreachable message. There's probably a secret decoder ring for this stuff online somewhere, but I use a book. Wow! A *book*... cool ;) Here's the pieces: PROTO=1 protocol 1 is icmp 10.131.224.1:3 10.131.224.1 is the source IP, of course; the port is the icmp message type, 3=Destination unreachable 62.243.222.62:1 62.243.222.62 is the destination IP, as usual; the port is the icmp message code, 1=host unreachable Right. Gotta look up an icmp code 'translation' guide... any good links anyone? Without seeing the content of the packet (which does not get logged), we have no way to know what host this is about. If there is some IP address (or block of them) you are having trouble reaching, this may be why. No trouble connecting, not to my knowledge anyway. I'm not on that lan, and really only have anything to do with the server and the dach box... Or, since the source address is a private address, it may be that someone has his internal network misconfigured in a somewhat bizarre fashion, and you are getting icmp packets that are replying to someone else's connection attempts. Or (let's be paranoid for a moment) someone else is spoofing your external IP address as the source of some packets, and you are getting the replies. Hmmm... grep PROTO=1 messages gives a sh*tload of lines. Every one is input DENY eth0, that is, coming from the outside. I know (from the httpd-logs on the server) that the 'neighborhood' 62.243.222 is positively swamped with infected windows servers. Are the various some-ip entries all private addresses like subnet 10, or are some of them from real (public) IP addresses? If the second, what are some of the sources? I've put a sorted/uniq'ed list of yesterday's and today's instances at the bottom, but yeah they all look pretty private, with the exception of the 65.82.107.120 (and maybe some of the 172...s ?) The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server, behind it. None of the IPs logged show in the server's logs. Perhaps a little more info should go here: lan: 192.168.0.0/24 dmz: 10.0.1.0/24 AFAIK nobody on the lan runs anything other than 'regular' (couple linux, mostly w$) hosts. The server in the dmz is SuSE 7.3 Probably none of the above. PROTO=1 means icmp, and port 5 (it's really a message type, not a port, when icmp is involved) means it is an icmp redirect packet. The packet should be telling you that this host is not the preferred route to some destination. Whether this means a problem with your routing table or someone else's is unknowable from the information you have provided. I don't think there's a problem with my box's routing table, meaning that the clients on the lan have no problems connecting to the net or the dmz/server. Also there are no problems connecting to the server from 'outside'... It's been running with the current config for months. I'm not sure, but I think that if your end ignores the redirects, the other end will still route for you ... they are a suggestion, not an order. So you can, probably, safely disregard these messages. Hmmm... The only one that knows anything (about computers anyway) on the lan, is on vacation ATM. I should prolly ask him whether everything's o.k. when he gets back... Thanks for the info/effort. Jon Clausen Today's harvest: 10.1.0.1 10.1.1.22 10.114.128.1 10.130.128.1*) 10.134.224.1 10.2.128.1 *) 10.217.192.1*) 10.219.224.1 10.25.116.1 10.46.60.1 10.59.224.1 10.62.52.1 10.62.60.1 10.68.0.1 10.80.128.1 192.168.120.4 192.168.246.142 192.168.9.202 Yesterday's: 10.130.128.1*) 10.131.224.1 10.133.52.1 10.2.128.1 *) 10.217.192.1*) 10.22.28.1 10.3.32.1 10.52.72.1 10.52.96.1 10.58.144.1 10.75.16.1 172.16.11.1 172.16.193.1 172.17.82.106 172.22.32.3 172.26.49.9 192.168.129.3 192.168.147.98 192.168.246.54 192.168.247.110 192.168.247.158 192.168.247.22 192.168.9.193 65.82.107.120 *) present both today and yesterday --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
Jon Clausen wrote: ... Right. Gotta look up an icmp code 'translation' guide... any good links anyone? http://www.robertgraham.com/pubs/firewall-seen.html#2 Cheers, -- Patrick Benson Stockholm, Sweden --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
See below. At 11:29 PM 10/14/02 +0200, Jon Clausen wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, Me either. Please provide the full line for the blocked packet (as you did with the second example, below), not an uninterpretable fragment. This *could* just be icmp type 3, message 1 (host unreachable). Or it could be something else, since you don't tell us (for example) what the PROTO= value is.. but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? Probably none of the above. PROTO=1 means icmp, and port 5 (it's really a message type, not a port, when icmp is involved) means it is an icmp redirect packet. The packet should be telling you that this host is not the preferred route to some destination. Whether this means a problem with your routing table or someone else's is unknowable from the information you have provided. I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
on 10/14/02 3:09 PM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey Not Citrix: that's 1494... Dale Mirenda On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] What's this guy trying?
Microsoft SQL server listens on that port (1433)...there's a worm going around that is looking for unprotected SQL server hosts. Hopefully this doesn't wrap: http://securityresponse.symantec.com/avcenter/venc/data/digispid.b.worm.html Hope that helps Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 14, 2002 6:09 PM To: Jon Clausen; [EMAIL PROTECTED] Subject: Re: [leaf-user] What's this guy trying? port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote: 1)... dunno what to make of that, Me either. Please provide the full line for the blocked packet (as you did with the second example, below), not an uninterpretable fragment. This *could* just be icmp type 3, message 1 (host unreachable). Or it could be something else, since you don't tell us (for example) what the PROTO= value is.. O.K. full log entry: Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9) As I said, there are a bunch of this kind of entries, all PROTO=1 some-ip:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (# varying) It starts at 11:36:39 continues through the day to 21:11:20 The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server, behind it. None of the IPs logged show in the server's logs. I don't usually see this much activity in the firwall's logs. but then there's this guy: is this some kind of DoS? Am I under attack, or is it just some misconfigured box? Probably none of the above. PROTO=1 means icmp, and port 5 (it's really a message type, not a port, when icmp is involved) means it is an icmp redirect packet. The packet should be telling you that this host is not the preferred route to some destination. Whether this means a problem with your routing table or someone else's is unknowable from the information you have provided. I don't think there's a problem with my box's routing table, meaning that the clients on the lan have no problems connecting to the net or the dmz/server. Also there are no problems connecting to the server from 'outside'... It's been running with the current config for months. TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
At 07:24 AM 10/15/02 +0200, Jon Clausen wrote: On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote: 1)... dunno what to make of that, Me either. Please provide the full line for the blocked packet (as you did with the second example, below), not an uninterpretable fragment. This *could* just be icmp type 3, message 1 (host unreachable). Or it could be something else, since you don't tell us (for example) what the PROTO= value is.. O.K. full log entry: Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x T=243 (#9) OK. It's what I guessed above ... an icmp host unreachable message. There's probably a secret decoder ring for this stuff online somewhere, but I use a book. Here's the pieces: PROTO=1 protocol 1 is icmp 10.131.224.1:3 10.131.224.1 is the source IP, of course; the port is the icmp message type, 3=Destination unreachable 62.243.222.62:1 62.243.222.62 is the destination IP, as usual; the port is the icmp message code, 1=host unreachable Without seeing the content of the packet (which does not get logged), we have no way to know what host this is about. If there is some IP address (or block of them) you are having trouble reaching, this may be why. Or, since the source address is a private address, it may be that someone has his internal network misconfigured in a somewhat bizarre fashion, and you are getting icmp packets that are replying to someone else's connection attempts. Or (let's be paranoid for a moment) someone else is spoofing your external IP address as the source of some packets, and you are getting the replies. As I said, there are a bunch of this kind of entries, all PROTO=1 some-ip:3 62.243.222.62:1 L=56 S=0x00 I varying T varying (# varying) It starts at 11:36:39 continues through the day to 21:11:20 Are the various some-ip entries all private addresses like subnet 10, or are some of them from real (public) IP addresses? If the second, what are some of the sources? The Dachstein box has a LAN and a DMZ, with a web/mail/dns/ftp server, behind it. None of the IPs logged show in the server's logs. I don't usually see this much activity in the firwall's logs. but then there's this guy: is this some kind of DoS? Am I under attack, or is it just some misconfigured box? Probably none of the above. PROTO=1 means icmp, and port 5 (it's really a message type, not a port, when icmp is involved) means it is an icmp redirect packet. The packet should be telling you that this host is not the preferred route to some destination. Whether this means a problem with your routing table or someone else's is unknowable from the information you have provided. I don't think there's a problem with my box's routing table, meaning that the clients on the lan have no problems connecting to the net or the dmz/server. Also there are no problems connecting to the server from 'outside'... It's been running with the current config for months. I'm not sure, but I think that if your end ignores the redirects, the other end will still route for you ... they are a suggestion, not an order. So you can, probably, safely disregard these messages. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA[EMAIL PROTECTED] --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
