Security Basics mailing list archives
RE: from 127.0.0.1:80 to myIP:1838 on eth0
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 26 Sep 2003 10:33:21 -0700
IP 192.168.1.115 netmask 255.255.255.0 gateway 192.168.1.255
This is not correct! The netmask says you're on the 192.168.1.x network. 192.168.1.255 is reserved as the BROADCAST address for this network. Your gateway address needs to be a valid host address of a router which connects this network to the world (and probably also does NAT, or something beyond it does...).
Source: 127.0.0.1 Destination: 192.168.1.0 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1823
Someone has spoofed the source address as the loopback address. Your gateway should be filtering for obviously spoofed origins, but it's not. 192.168.1.0 is the "network address" for the 192.168.1.x network that you're on. In most cases, this will get treated as a broadcast. Either this packet originated on your side of whatever is providing NAT, or the NAT implementation is broken -- no outside source should be able to send to this address.
Source: 127.0.0.1 Destination: 192.168.1.115 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1838 .... ..0. = Syn: Not set
If there's a network firewall, it's not stateful. Proper firewalls will only accept TCP packets without SYN if they're part of an established connection. The attacker has crafted this packet to look like part of an already opened HTTP session from your machine, and that has been good enough to get by the network perimeter.
.... .1.. = Reset: Set
This looks like an attempt to abort a TCP session which (see above) hasn't actually been established. I'm not sure what the recipient machine is supposed to do with this, but I'd guess that something like an "ICMP unreachable" response would be in order. It's possible that the details of the TCP/IP stack's reaction might help to identify the particular OS, so this might be a scanning tool -- except that the spoofed source address means that the attacker will never see the results. (It's *possible* that there are broken stacks out there that might crash when asked to deal with a packet like this. Spoofed source addresses are really only "useful" in DoS and single packet "fire and forget" attacks.) David Gillett
-----Original Message----- From: Useru Chior [mailto:useru_chior () yahoo com] Sent: September 26, 2003 04:55 To: security-basics () securityfocus com Subject: from 127.0.0.1:80 to myIP:1838 on eth0 As I am only a physicist with some computing experience and not a computer professional, I would like to hear as much as possible about the following issue. The computer I use at my working place is a personal machine: - WXP professional with SP1 and all critical updates installed - Sygate Personal Firewall 5.1 build 1615s with advanced rules (ipchains - like) I have scanned my system using Sygate' trojan scan service and also I have scanned the system using Sophos Antivirus. The system seems to be clean. I am conected to the network of the company via a fibre optic cable (presumably to a switch). The network configuration looks like: IP 192.168.1.115 netmask 255.255.255.0 gateway 192.168.1.255 nameservers xx.xx.xx.x1, xx.xx.xx.x2 (In fact I have a routable IP, which is not listed here ) The firewall is usually showing me something like 10 to 30 connection attempts a day on various services (80, 21, 25, 554, 1433 and some high ports which I can only associate with backdoor-type servers). Also is showing from time to time packets which seem to emerge from routable IPs from outside the company and which seem to try to force open a connection with a external 'web' (80) server. Normal s***. One week ago packets like the ones decoded here started to pop-up in the firewall log. -------------------------------------------------------------- ---------------------- 09/25/2003 22:01:09 Ethernet II (Packet Length: 60) Destination: ff-ff-ff-ff-ff-ff Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 1 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x6951 (Correct) Source: 127.0.0.1 Destination: 192.168.1.0 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1823 Sequence number: 0 Acknowledgment number: 1573847041 Header length: 20 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Checksum: 0xd514 (Correct) Data (0 Bytes) -------------------------------------------------------------- ---------------------- 09/25/2003 21:57:47 Ethernet II (Packet Length: 60) Destination: YY-YY-YY-YY-YY-YY - hardware address of my machine Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 124 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x3b07 (Correct) Source: 127.0.0.1 Destination: 192.168.1.115 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1838 Sequence number: 0 Acknowledgment number: 404619265 Header length: 20 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Checksum: 0x135a (Correct) Data (0 Bytes) -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 26)
- RE: from 127.0.0.1:80 to myIP:1838 on eth0 David Gillett (Sep 26)
- <Possible follow-ups>
- Re: from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 29)