RE: from 127.0.0.1:80 to myIP:1838 on eth0

["David Gillett" <gillettdavid () fhda edu>]

> IP 192.168.1.115
> netmask 255.255.255.0
> gateway 192.168.1.255

  This is not correct!

  The netmask says you're on the 192.168.1.x network.
192.168.1.255 is reserved as the BROADCAST address for this
network.  Your gateway address needs to be a valid host address
of a router which connects this network to the world (and 
probably also does NAT, or something beyond it does...).


>       Source: 127.0.0.1
>       Destination: 192.168.1.0
> Transmission Control Protocol (TCP)
>       Source port: 80
>       Destination port: 1823

  Someone has spoofed the source address as the loopback address.
Your gateway should be filtering for obviously spoofed origins, but
it's not.
  192.168.1.0 is the "network address" for the 192.168.1.x network
that you're on.  In most cases, this will get treated as a broadcast.
Either this packet originated on your side of whatever is providing 
NAT, or the NAT implementation is broken -- no outside source should
be able to send to this address.


>       Source: 127.0.0.1
>       Destination: 192.168.1.115
> Transmission Control Protocol (TCP)
>       Source port: 80
>       Destination port: 1838
>               .... ..0. = Syn: Not set

  If there's a network firewall, it's not stateful.  Proper firewalls
will only accept TCP packets without SYN if they're part of an
established connection.  The attacker has crafted this packet to look
like part of an already opened HTTP session from your machine, and
that has been good enough to get by the network perimeter.

>               .... .1.. = Reset: Set

  This looks like an attempt to abort a TCP session which (see above)
hasn't actually been established.  I'm not sure what the recipient
machine is supposed to do with this, but I'd guess that something
like an "ICMP unreachable" response would be in order.  It's possible
that the details of the TCP/IP stack's reaction might help to identify
the particular OS, so this might be a scanning tool -- except that the
spoofed source address means that the attacker will never see the results.
  (It's *possible* that there are broken stacks out there that might
crash when asked to deal with a packet like this.  Spoofed source addresses
are really only "useful" in DoS and single packet "fire and forget"
attacks.)

David Gillett

> -----Original Message-----
> From: Useru Chior [mailto:useru_chior () yahoo com]
> Sent: September 26, 2003 04:55
> To: security-basics () securityfocus com
> Subject: from 127.0.0.1:80 to myIP:1838 on eth0
>
>
>
>
> As I am only a physicist with some computing experience and 
> not a computer professional, I would like to hear as much as 
> possible about the following issue.
>
>       The computer I use at my working place is a personal machine:
> - WXP professional with SP1 and all critical updates installed
> - Sygate Personal Firewall 5.1 build 1615s with advanced 
> rules (ipchains - like)
>       I have scanned my system using Sygate' trojan scan 
> service and also I have scanned the system using Sophos 
> Antivirus. The system seems to be clean.
>       I am conected to the network of the company via a fibre 
> optic cable (presumably to a switch).         The network 
> configuration looks like:
> IP 192.168.1.115
> netmask 255.255.255.0
> gateway 192.168.1.255
> nameservers xx.xx.xx.x1, xx.xx.xx.x2
> (In fact I have a routable IP, which is not listed here   )
>       The firewall is usually showing me something like 10 to 
> 30 connection attempts a day on various services (80, 21, 25, 
> 554, 1433 and some high ports which I can only associate with 
> backdoor-type servers). Also is showing from time to time 
> packets which seem to emerge from routable IPs from outside 
> the company and which seem to try to force open a connection 
> with a external 'web' (80) server. Normal s***.
>       One week ago packets like the ones decoded here started 
> to pop-up in the firewall log.
>
> --------------------------------------------------------------
> ----------------------
> 09/25/2003 22:01:09
> Ethernet II (Packet Length: 60)
>       Destination:    ff-ff-ff-ff-ff-ff
>       Source:         ZZ-ZZ-ZZ-ZZ-ZZ-ZZ -     hardware 
> address of the gateway
> Type: IP (0x0800)
> Internet Protocol
>       Version: 4
>       Header Length: 20 bytes
>       Flags:
>               .0.. = Don't fragment: Not set
>               ..0. = More fragments: Not set
>       Fragment offset:0
>       Time to live: 1
>       Protocol: 0x6 (TCP - Transmission Control Protocol)
>       Header checksum: 0x6951 (Correct)
>       Source: 127.0.0.1
>       Destination: 192.168.1.0
> Transmission Control Protocol (TCP)
>       Source port: 80
>       Destination port: 1823
>       Sequence number: 0
>       Acknowledgment number: 1573847041
>       Header length: 20
>       Flags: 
>               0... .... = Congestion Window Reduce (CWR): Not set
>               .0.. .... = ECN-Echo: Not set
>               ..0. .... = Urgent: Not set
>               ...1 .... = Acknowledgment: Set
>               .... 0... = Push: Not set
>               .... .1.. = Reset: Set
>               .... ..0. = Syn: Not set
>               .... ...0 = Fin: Not set
>       Checksum: 0xd514 (Correct)
>       Data (0 Bytes)
> --------------------------------------------------------------
> ----------------------
> 09/25/2003 21:57:47           
> Ethernet II (Packet Length: 60)
>       Destination:    YY-YY-YY-YY-YY-YY       -       
> hardware address of my machine
>       Source:         ZZ-ZZ-ZZ-ZZ-ZZ-ZZ               -       
> hardware address of the gateway
> Type: IP (0x0800)
> Internet Protocol
>       Version: 4
>       Header Length: 20 bytes
>       Flags:
>               .0.. = Don't fragment: Not set
>               ..0. = More fragments: Not set
>       Fragment offset:0
>       Time to live: 124
>       Protocol: 0x6 (TCP - Transmission Control Protocol)
>       Header checksum: 0x3b07 (Correct)
>       Source: 127.0.0.1
>       Destination: 192.168.1.115
> Transmission Control Protocol (TCP)
>       Source port: 80
>       Destination port: 1838
>       Sequence number: 0
>       Acknowledgment number: 404619265
>       Header length: 20
>       Flags: 
>               0... .... = Congestion Window Reduce (CWR): Not set
>               .0.. .... = ECN-Echo: Not set
>               ..0. .... = Urgent: Not set
>               ...1 .... = Acknowledgment: Set
>               .... 0... = Push: Not set
>               .... .1.. = Reset: Set
>               .... ..0. = Syn: Not set
>               .... ...0 = Fin: Not set
>       Checksum: 0x135a (Correct)
>       Data (0 Bytes)
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------