Re: I was scaned

[zeus () TETRONSOFTWARE COM (Gene Harris)]

If folks would limit the ports accessible from 53, that
would help.  Even on a stateless firewall you can do a
"from any 1024- to ${myip} 53" and
"from ${myip} 53 to any 1024-", assuming udp.  This way, at
least only unpriv ports are accessible.

It looks like the original contributor had something like
that implemented, or he wouldn't have caught the probe in
the first place.

*==============================================*
*Gene Harris      http://www.tetronsoftware.com*
*FreeBSD Novice                                *
*All ORBS.org SMTP connections are denied!     *
*==============================================*

On Sat, 22 Jan 2000, Robert Graham wrote:

>  Our (Network ICE) customers are seeing tons of these RPC getports on the
>  standard exploitable programs that are already known.
>
>  The basic rule of thumb is:
>  * everyone is getting UDP getport/dump requests on port 111 on a regular
>  basis.
>  * if you install a Sun machine (the most popular highend webserver) with RPC
>  services exposed to the Internet, it will get hacked within a month because
>  of this.
>
>  Your log does show something new, however. The attacker is putting the
>  source port as 53 in order to pentrate firewalls. Many stateless firewalls
>  allow any incoming UDP packet with a source port of 53 on the assumption
>  that it is a DNS response, but hackers can exploit this to send any data
>  through the firewall. We put this in the first version of our BlackICE
>  intrusion detection system, but we haven't seen this trigger often. Maybe
>  hackers are wising up to this technique.
>
>  Rob.
>
>  -----Original Message-----
>  From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
>  Behalf Of C.
>  Sent: Thursday, January 20, 2000 11:33 PM
>  To: INCIDENTS () securityfocus com
>  Subject: I was scaned
>
>
>  This is from last night.
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.1:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.2:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.3:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.4:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.5:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.6:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.7:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.8:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.9:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>  Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6
>  211.36.16.2:53 x.x.x.10:111 L=40 S=0x00
>  I=62128 F=0x0000 T=238
>
>  ....
>  Any idea what is it? New sunrpc xploit in the wild?