[lug] Probing from ISP?

John Karns jkarns at csd.net
Mon Jul 5 10:23:39 MDT 2004


Hello all,

I noticed some wierdness in my logs yesterday.  They're filling up with
events which appear to be probes to various ports on my machine, averaging
one every 2 - 3 secs.  The source ports (SPT in log) are above 1024, to
lower numbered destination ports (in most cases)  I'm using a Linksys
WRT54G wlan router (runs Linux!!), flashed to a 3rd party mod of the OS
called samadhi2.  I have the router firewall enabled.  I'm not sure what
to make of the situation, but I'm guessing that the ISP (MS W2k shop)
has been cracked with a virus that is probing all IP's in their pool.

I'd be most interested in any comments.

A snippet from the system log on one of my nodes (24 x 7 connection) looks
like:


Most probes are to destination ports 135 & 445

Jul 1 00:15:41 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.32.230 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=44610 DF PROTO=TCP SPT=3558 DPT=445
WINDOW=65535 RES=0x00 SYN URGP=0

Jul 1 00:15:44 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.32.230 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=44775 DF PROTO=TCP SPT=3558 DPT=445
WINDOW=65535 RES=0x00 SYN URGP=0

Jul 1 00:16:34 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.33.35 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=19011 DF PROTO=TCP SPT=3529 DPT=445
WINDOW=65535 RES=0x00 SYN URGP=0

Jul 1 00:16:37 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.33.35 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=19202 DF PROTO=TCP SPT=3529 DPT=445
WINDOW=65535 RES=0x00 SYN URGP=0

Jul 1 00:17:59 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.38.207 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=45088 DF PROTO=TCP SPT=4648 DPT=135
WINDOW=16384 RES=0x00 SYN URGP=0

Jul 1 00:18:02 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.38.207 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=45303 DF PROTO=TCP SPT=4648 DPT=135
WINDOW=16384 RES=0x00 SYN URGP=0

Jul 1 00:18:17 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.38.153 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=29048 DF PROTO=TCP SPT=3828 DPT=135
WINDOW=65535 RES=0x00 SYN URGP=0

Jul 1 00:18:19 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.119.38.153 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=126 ID=29205 DF PROTO=TCP SPT=3828 DPT=135
WINDOW=65535 RES=0x00 SYN URGP=0

... with a few to higher numbered ports:

Jul 1 01:13:54 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=61.53.14.224 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=107 ID=62639 DF PROTO=TCP SPT=1664 DPT=9898
WINDOW=64240 RES=0x00 SYN URGP=0

Jul 1 01:28:20 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.101.45.165 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=110 ID=22928 DF PROTO=TCP SPT=2379 DPT=443
WINDOW=65340 RES=0x00 SYN URGP=0

Jul 1 01:28:20 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.101.45.165 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=110 ID=22929 DF PROTO=TCP SPT=2380 DPT=1433
WINDOW=65340 RES=0x00 SYN URGP=0

Jul 1 01:28:26 Host kernel: Dropwall:IN=eth0 OUT=
MAC=nodeMac@:RouterMac@:08:00 SRC=200.101.45.165 DST=192.168.1.103 LEN=48
TOS=0x00 PREC=0x00 TTL=110 ID=23051 DF PROTO=TCP SPT=2380 DPT=1433
WINDOW=65340 RES=0x00 SYN URGP=0

======================================================

... and the following is from iptraf on a different node, which is not
connected 24 x 7 to the lan:

152.2.210.81:80                             >       1        40 --A-   wlan0
192.168.1.110:34240                         >       1        40 --A-   wlan0

65.61.162.142:80                            >       1        40 --A-   wlan0
192.168.1.110:34241                         >       1        40 --A-   wlan0

152.2.210.81:80                             >       1        40 --A-   wlan0
192.168.1.110:34236                         >       1        40 --A-   wlan0

152.2.210.81:80                             >       1        40 --A-   wlan0
192.168.1.110:34239

-------------------------------------------------------

192.168.1.110:34255                         =      11       912 CLOSED wlan0
216.109.119.252:80                          =      10     10590 CLOSED wlan0

192.168.1.110:34254                         =      11       912 CLOSED wlan0
216.109.119.252:80                          =      10     10590 CLOSED wlan0

192.168.1.110:34253                         =      11       912 CLOSED wlan0 x
216.109.119.252:80                          =      10     10590 CLOSED wlan0 x

192.168.1.110:34252                         =      11       912 CLOSED wlan0 x
216.109.119.252:80                          =      10     10590 CLOSED wlan0 x

192.168.1.110:34251                         =      11       912 CLOSED wlan0 x
216.109.119.252:80                          =      10     10590 CLOSED wlan0 x

======================================================

It's interesting (and confusing) that the iptraf output on the 2nd node
doesn't show traffic with the same ports as the ipfilter log from the
other node.  Nor does the system log on the 2nd node show any probes at
all.  I expected to see the same probes on the 2nd node, so am a lttle
concerned that the 1st node might have been cracked.

--  
John Karns



More information about the LUG mailing list