 |
 |
Lil'bit confused about incomming scan
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Norway (I eat whales)
Status:
Offline
|
|
Perhaps this is paranoid, but how should one react on incoming scans? My ipfw.log often gets lines like ..ipfw: Stealth Mode connection attempt to TCP.. etc, so there is nothing new here. However I recently got some lines like this in my log:
Code:
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49281 from 205.175.208.33:80
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49282 from 205.175.208.33:80
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49283 from 205.175.208.33:80
The 205.175.208.33 IP lead me to a domain called conexant.com, which I just had visited around the time of this scan. How should I interpret this? Is this a hosed web-server and would it be wise inform the hostmaster about this?
I wish there was a database or something to turn to to help newbies quickly interpret ipfw.logs. 
Thanks in advance.
|
Sniffer gone old-school sig
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
Originally Posted by sniffer
Perhaps this is paranoid, but how should one react on incoming scans? My ipfw.log often gets lines like ..ipfw: Stealth Mode connection attempt to TCP.. etc, so there is nothing new here. However I recently got some lines like this in my log:
Code:
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49281 from 205.175.208.33:80
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49282 from 205.175.208.33:80
Jun 9 22:35:46 SNIFFERSPB ipfw: Stealth Mode connection attempt to TCP 192.168.0.xxx:49283 from 205.175.208.33:80
The 205.175.208.33 IP lead me to a domain called conexant.com, which I just had visited around the time of this scan. How should I interpret this? Is this a hosed web-server and would it be wise inform the hostmaster about this?
I wish there was a database or something to turn to to help newbies quickly interpret ipfw.logs.
Thanks in advance.
Upon first glance, this looks like return traffic from a webserver that the firewall no longer has any state information in its tables for the connection. Like packets it is seeing psh flags or something set, but has never seen a TCP handshake for for the conection. Got any payload data?
Scans of all kinds from the Internet are a given. It was blocked, soo nothing to really react to. If you really are paranoid I would recommend running an IDS to parse the incoming traffic for further insight to the nature of the intrusion attempt.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jun 2005
Status:
Offline
|
|
Originally Posted by kampl
Upon first glance, this looks like return traffic from a webserver that the firewall no longer has any state information in its tables for the connection. Like packets it is seeing psh flags or something set, but has never seen a TCP handshake for for the conection. Got any payload data?
Scans of all kinds from the Internet are a given. It was blocked, soo nothing to really react to. If you really are paranoid I would recommend running an IDS to parse the incoming traffic for further insight to the nature of the intrusion attempt.
Further question. I just noticed a similar message in my own log file and found this post while searching google for more information. Interestingly, I recognized the IP as someone I know, and distrust. What could this person be trying to do and what are they using to do it? I don't recognize the ports that the attempt was made to on about a half dozen attempts, ranging from 52000 - 52019.
Any ideas?
|
|
|
| |
|
|
|
|
|
|
|
Administrator  Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
I can't anything definitive on ports 52000-52019, but here's my theory-your untrusted acquaintance has a virus or trojan. You're getting scanned because that bug is looking for a response on a port that it wants-probably as a server for some sort of spam, or porn or other undesirable content that the bug wants to distribute. As long as your firewall keeps those probes out (stealthing the ports that you don't actively use is better than just blocking them), you should be safe.
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
"The 205.175.208.33 IP lead me to a domain called conexant.com, which I just had visited around the time of this scan. How should I interpret this? Is this a hosed web-server and would it be wise inform the hostmaster about this?"
This is not an attack. It is return traffic from a web server for which the firewall connection table timeouts have been exceeded. It can be ignored. Latency or misconfiguration on the remote end is what I would blame for the delayed response from the server that got dropped by the firewall.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Norway (I eat whales)
Status:
Offline
|
|
Thanks for your informative thoughts guys. Regarding IDS, I found an application called "HenWen". Looks suitable ...if only I can find the patience to dig trough the manual and getting a grip on the basics.
|
Sniffer gone old-school sig
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
