Security Incidents mailing list archives
Re: Scans(?) 500->500 from China
From: azimuth <lozah () IO COM>
Date: Sat, 2 Sep 2000 01:20:30 -0500
Howdy Ralf, Isakmp is a standard that outlines how two peers can establish and conduct secure communications over an insecure transport. http://www.ietf.org/rfc/rfc2408.txt It's used in IPSec & VPNs, and probably elsewhere. I have no idea why someone would be banging away at a single IP (I assume the log entries reflect traffic directed to one host), unless they were trying to connect to their VPN and got confused about their server IP. There's a recent vulnerability for Rapidstream VPN boxes: http://www.securityfocus.com/vdb/bottom.html?vid=1574 If someones scanning an IP range, perhaps they're trying to identify a vulnerable box. Seems like alot of work considering the number of boxen out there vulnerable to BIND/statd/FTP exploits. I haven't fully developed my paranoia yet, I think someone in China may just be confused or making typos. You might ask Greg Woods where he was this morning! ;-) az "Ralf G. R. Bergs" wrote:
Hi there, can anybody shed some light on what appears to be a scan to me? Sep 1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53) Sep 1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30439 F=0x0000 T=105 (#53) Sep 1 11:13:58 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30447 F=0x0000 T=105 (#53) Sep 1 11:14:02 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30470 F=0x0000 T=105 (#53) Sep 1 11:14:10 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30515 F=0x0000 T=105 (#53) Sep 1 11:14:26 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53) Sep 1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53) I couldn't find any meaningful info about port 500 (meaningful to me, that is, since "isakmp" doesn't ring a bell...) A whois query gives me the following: $ whois 61.141.79.3 % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html inetnum: 61.140.0.0 - 61.143.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: WM12-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINANET-GD changed: hostmaster () ns chinanet cn net 20000601 source: APNIC person: Chinanet Hostmaster address: A12,Xin-Jie-Kou-Wai Street phone: +86-10-62370437 fax-no: +86-10-62053995 country: CN e-mail: hostmaster () ns chinanet cn net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster () ns chinanet cn net 20000101 source: APNIC person: WU MIAN address: RO.2 ZHONGSHAN,GUANGZHOU,GUANGDONG, address: 510080,CHINA phone: +086-20-87619051 fax-no: +86-20-87619799 country: CN e-mail: wumian () gdnmc guangzhou gd cn nic-hdl: WM12-AP mnt-by: MAINT-CHINANET-GD changed: wumian () gdnmc guangzhou gd cn 19990615 source: APNIC I guess even if it was a hostile scan, complaining to people in China doesn't stop these things, does it? Thanks, Ralf -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^
Current thread:
- Scans(?) 500->500 from China Ralf G. R. Bergs (Sep 01)
- Re: Scans(?) 500->500 from China azimuth (Sep 02)
- Re: Scans(?) 500->500 from China Magus Ba'al (Sep 02)
- Re: Scans(?) 500->500 from China Max (Sep 03)
- Re: Scans(?) 500->500 from China H D Moore (Sep 03)