Security Incidents mailing list archives
Strange trafic to port 119
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sun, 12 Nov 2000 13:17:28 -0600
Hi,
Right now I'm connected to the internet via modem through my ISP and I
have been receiving a lot tcp(syn) packets to my machine all morning.
IP adresses are asigned dynamically by my ISP and packets are not
directed to any broadcast address so, as far as I know, they are
targeting me directly.
More strange is the fact that I'm connected with a Linux machine
(Mandrake 7.2 updated almos daily with security patches), I have a
firewall installed with ipchains rules which, basically deny any
incoming traffic through ppp0 to ports 1023 and below (I also deny any
icmp incomimg traffic except "fragmentation needed").
My first impression was that my machine either was compromised or under
a DoS attack, so I set up ethereal sniffer and reviewed ipchains logs. I
also checked any aplications and ports open (internally) and with
another machine in my University.
Connections to port 119 are being blocked as expected, I didn't find any
evidence of compromised accounts, backdoor or anything. Also, I doubt
that this is a DoS because packets are sent, more or less, at a 5 to 7
minutes interval.
I also though on the possibility that this traffic was directed to the
machine connected to the same address before I logged on but after
checking my logs I saw that this traffic started about an hour after I
logged on.
There are several IP sources involved (not too many) and the rate at
which packet are sent from different hosts varies with time (it's not
completely random, nor predictable), which makes me think that these
connection attempts are being done manually.
Here is a fwlogwatch resume (great tool by my friend Boris W. by the
way):
Generated Sun Nov 12 12:36:03 CST 2000.
320 of 473 entries in the file "/var/log/messages" are packet logs, 98
have unique connection caracteristics.
First entry: Nov 12 07:58:36. Last entry: Nov 12 12:35:05.
All entries were logged by the same host: "localhost".
All entries are from the same chain: "pt.Bajos".
All entries have the same target: "DENY".
All entries are from the same interface: "ppp0".
12 [Nov 12 08:46:22 to Nov 12 08:50:11] tcp connects from 64.110.51.58
port 1028 to 148.221.215.134 port 119 (nntp).
12 [Nov 12 08:56:25 to Nov 12 08:58:47] tcp connects from 200.32.120.236
port 1055 to 148.221.215.134 port 119 (nntp).
9 [Nov 12 08:32:31 to Nov 12 08:33:32] tcp connects from 209.13.234.31
port 1081 to 148.221.215.134 port 119 (nntp).
6 [Nov 12 12:16:33 to Nov 12 12:17:03] tcp connects from 148.246.45.107
port 3878 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 09:00:23 to Nov 12 09:00:46] tcp connects from 207.248.36.66
port 1057 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 10:48:32 to Nov 12 10:48:59] tcp connects from 200.45.48.190
port 4302 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:05:22 to Nov 12 11:05:43] tcp connects from 62.174.64.113
port 2139 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:05:22 to Nov 12 11:05:43] tcp connects from 62.174.64.113
port 2138 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:23:50 to Nov 12 11:24:11] tcp connects from 64.110.51.51
port 1031 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:35:39 to Nov 12 11:36:07] tcp connects from 213.4.13.170
port 4407 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:36:09 to Nov 12 11:36:31] tcp connects from 213.4.13.170
port 4411 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:44:53 to Nov 12 11:45:14] tcp connects from 148.221.133.143
port 1355 to 148.221.215.134 port 119 (nntp).
4 [Nov 12 11:44:53 to Nov 12 11:45:14] tcp connects from 148.221.133.143
port 1354 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:03:41 to Nov 12 08:03:49] tcp connects from 148.246.45.107
port 3238 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:10:48 to Nov 12 08:10:57] tcp connects from 148.246.45.107
port 3299 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:18:05 to Nov 12 08:18:15] tcp connects from 148.246.45.107
port 3377 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:25:14 to Nov 12 08:25:23] tcp connects from 148.246.45.107
port 3423 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:32:17 to Nov 12 08:32:26] tcp connects from 148.246.45.107
port 3464 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:32:31 to Nov 12 08:32:40] tcp connects from 209.13.234.31
port 1082 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:32:34 to Nov 12 08:32:43] tcp connects from 209.13.234.31
port 1083 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:39:47 to Nov 12 08:39:55] tcp connects from 148.246.45.107
port 3529 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:47:14 to Nov 12 08:47:23] tcp connects from 148.246.45.107
port 3607 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 08:54:11 to Nov 12 08:54:20] tcp connects from 148.246.45.107
port 3642 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:01:21 to Nov 12 09:01:30] tcp connects from 148.246.45.107
port 3718 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:09:01 to Nov 12 09:09:10] tcp connects from 148.246.45.107
port 3800 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:16:06 to Nov 12 09:16:15] tcp connects from 148.246.45.107
port 3862 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:23:20 to Nov 12 09:23:28] tcp connects from 148.246.45.107
port 3940 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:30:35 to Nov 12 09:30:44] tcp connects from 148.246.45.107
port 3986 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:37:54 to Nov 12 09:38:03] tcp connects from 148.246.45.107
port 4063 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:45:07 to Nov 12 09:45:16] tcp connects from 148.246.45.107
port 4145 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 09:52:55 to Nov 12 09:53:04] tcp connects from 148.246.45.107
port 4211 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:00:30 to Nov 12 10:00:39] tcp connects from 148.246.45.107
port 4278 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:08:03 to Nov 12 10:08:11] tcp connects from 148.246.45.107
port 4356 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:15:24 to Nov 12 10:15:33] tcp connects from 148.246.45.107
port 4440 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:22:53 to Nov 12 10:23:02] tcp connects from 148.246.45.107
port 4523 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:24:12 to Nov 12 10:24:21] tcp connects from 62.42.0.213
port 1789 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:24:55 to Nov 12 10:25:04] tcp connects from 62.42.0.213
port 1792 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:25:16 to Nov 12 10:25:25] tcp connects from 62.42.0.213
port 1793 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:25:59 to Nov 12 10:26:08] tcp connects from 62.42.0.213
port 1796 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:26:21 to Nov 12 10:26:30] tcp connects from 62.42.0.213
port 1798 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:30:13 to Nov 12 10:30:22] tcp connects from 148.246.45.107
port 4599 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:37:47 to Nov 12 10:37:47] tcp connects from 148.246.45.107
port 4675 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:39:11 to Nov 12 10:39:20] tcp connects from 62.82.4.219
port 1128 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:39:32 to Nov 12 10:39:41] tcp connects from 62.82.4.219
port 1129 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:39:54 to Nov 12 10:40:03] tcp connects from 62.82.4.219
port 1131 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:44:33 to Nov 12 10:44:42] tcp connects from 148.246.45.107
port 4709 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:48:32 to Nov 12 10:48:41] tcp connects from 200.45.48.190
port 4301 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:51:42 to Nov 12 10:51:51] tcp connects from 148.246.45.107
port 4750 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 10:58:42 to Nov 12 10:58:51] tcp connects from 148.246.45.107
port 4787 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:05:50 to Nov 12 11:05:59] tcp connects from 148.246.45.107
port 4827 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:13:26 to Nov 12 11:13:35] tcp connects from 148.246.45.107
port 4860 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:20:35 to Nov 12 11:20:44] tcp connects from 148.246.45.107
port 4909 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:24:33 to Nov 12 11:24:42] tcp connects from 62.42.103.220
port 1076 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:25:17 to Nov 12 11:25:26] tcp connects from 62.42.103.220
port 1084 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:27:45 to Nov 12 11:27:54] tcp connects from 148.246.45.107
port 4959 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:35:19 to Nov 12 11:35:28] tcp connects from 148.246.45.107
port 4998 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:41:06 to Nov 12 11:41:15] tcp connects from 148.246.45.107
port 20 (ftp-data) to 148.221.215.134 port 20 (ftp-data).
3 [Nov 12 11:42:16 to Nov 12 11:42:25] tcp connects from 148.246.45.107
port 3048 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:49:20 to Nov 12 11:49:29] tcp connects from 148.246.45.107
port 3691 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 11:56:21 to Nov 12 11:56:29] tcp connects from 148.246.45.107
port 3743 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:03:46 to Nov 12 12:03:55] tcp connects from 148.246.45.107
port 3785 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:10:50 to Nov 12 12:10:59] tcp connects from 148.246.45.107
port 3819 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:16:11 to Nov 12 12:16:20] tcp connects from 148.246.45.107
port 3876 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:16:19 to Nov 12 12:16:28] tcp connects from 62.42.103.220
port 1347 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:16:41 to Nov 12 12:16:50] tcp connects from 62.42.103.220
port 1350 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:16:55 to Nov 12 12:17:04] tcp connects from 62.42.0.213
port 1025 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:17:16 to Nov 12 12:17:25] tcp connects from 148.246.45.107
port 3881 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:17:17 to Nov 12 12:17:26] tcp connects from 62.42.0.213
port 1026 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:17:37 to Nov 12 12:17:46] tcp connects from 148.246.45.107
port 3882 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:17:38 to Nov 12 12:17:47] tcp connects from 62.42.0.213
port 1027 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:17:58 to Nov 12 12:18:07] tcp connects from 148.246.45.107
port 3884 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:18:00 to Nov 12 12:18:09] tcp connects from 62.42.0.213
port 1028 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:18:19 to Nov 12 12:18:28] tcp connects from 148.246.45.107
port 3885 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:18:41 to Nov 12 12:18:50] tcp connects from 148.246.45.107
port 3887 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:18:43 to Nov 12 12:18:52] tcp connects from 62.42.0.213
port 1030 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:19:02 to Nov 12 12:19:11] tcp connects from 148.246.45.107
port 3888 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:19:23 to Nov 12 12:19:32] tcp connects from 148.246.45.107
port 3890 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:19:44 to Nov 12 12:19:54] tcp connects from 148.246.45.107
port 3891 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:20:06 to Nov 12 12:20:15] tcp connects from 148.246.45.107
port 3893 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:20:27 to Nov 12 12:20:36] tcp connects from 148.246.45.107
port 3894 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:20:50 to Nov 12 12:20:57] tcp connects from 148.246.45.107
port 3896 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:21:10 to Nov 12 12:21:19] tcp connects from 148.246.45.107
port 3903 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:21:54 to Nov 12 12:22:01] tcp connects from 148.246.45.107
port 3906 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:21:54 to Nov 12 12:21:54] tcp connects from 148.246.45.107
port 3905 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:22:13 to Nov 12 12:22:23] tcp connects from 148.246.45.107
port 3909 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:22:35 to Nov 12 12:22:43] tcp connects from 148.246.45.107
port 3910 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:23:34 to Nov 12 12:23:43] tcp connects from 62.42.0.213
port 1428 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:23:55 to Nov 12 12:24:04] tcp connects from 62.42.0.213
port 1429 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:24:18 to Nov 12 12:24:27] tcp connects from 62.42.0.213
port 1431 to 148.221.215.134 port 119 (nntp).
3 [Nov 12 12:24:39 to Nov 12 12:24:48] tcp connects from 62.42.0.213
port 1432 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 10:24:36 to Nov 12 10:24:42] tcp connects from 62.42.0.213
port 1790 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 10:25:37 to Nov 12 10:25:40] tcp connects from 62.42.0.213
port 1795 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 11:24:54 to Nov 12 11:25:03] tcp connects from 62.42.103.220
port 1077 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 12:18:24 to Nov 12 12:18:30] tcp connects from 62.42.0.213
port 1029 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 12:23:12 to Nov 12 12:23:15] tcp connects from 62.42.0.213
port 1426 to 148.221.215.134 port 119 (nntp).
2 [Nov 12 12:25:02 to Nov 12 12:25:10] tcp connects from 62.42.0.213
port 1440 to 148.221.215.134 port 119 (nntp).
1 [Nov 12 12:17:02 to -] tcp connect from 62.42.103.220 port 1351 to
148.221.215.134 port 119 (nntp).
1 [Nov 12 12:22:51 to -] tcp connect from 62.42.0.213 port 1425 to
148.221.215.134 port 119 (nntp).
As you can see, 2 of these sources show more than any:
148.246.45.107
62.42.0.213
148.246.45.107 seems to be (with a high probability) a Win 2000 machine
62.42.0.213 might be an Aix2.4 (probably inacurate)
I ran nmap on these two but I can't find any relation to each other. I
also checked for any strange parameters con the packets but couldn't
find anything, here is a sample:
Frame 300 (48 on wire, 48 captured)
Arrival Time: Nov 12, 2000 12:17:17.1639
Time delta from previous packet: 0.890008 seconds
Frame Number: 300
Packet Length: 48 bytes
Capture Length: 48 bytes
Raw packet data
No link information available
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x31c3
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 106
Protocol: TCP (0x06)
Header checksum: 0x33a2 (correct)
Source: 62.42.0.213 (62.42.0.213)
Destination: 148.221.215.134 (148.221.215.134)
Transmission Control Protocol, Src Port: 1026 (1026), Dst Port: 119
(119), Seq:
784321494, Ack: 0
Source port: 1026 (1026)
Destination port: 119 (119)
Sequence number: 784321494
Header length: 28 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 64240
Checksum: 0xddbc
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted
0 4500 0030 31c3 4000 6a06 33a2 3e2a 00d5 E..01.@.j.3.>*..
10 94dd d786 0402 0077 2ebf cbd6 0000 0000 .......w........
20 7002 faf0 ddbc 0000 0204 05b4 0101 0402 p...............
At 12:38 nntp packets stopped but snort started to alert me of several
nmap probes to my machine, source adresses are random and too many so I
presume this guy is using some decoys (note that I don't even know if
this is related to the nntp event, there has been a lot of activity
lately in México and particularily with this ISP: Telmex-Prodigy to be
certain of anything).
Any ideas?
were these hosts compromised by someone else?
were this probes generated by a worm?
Any attacks that could be related to NNTP and this packets?
Thank you
Omar A. Herrera R.
Current thread:
- Strange trafic to port 119 Omar Herrera (Nov 13)
- Re: Strange trafic to port 119 Valdis Kletnieks (Nov 14)