Security Incidents mailing list archives
Re: Scans(?) 500->500 from China
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sat, 2 Sep 2000 13:47:42 -0500
Hi, It looks like someone was trying to access the key negotiation daemon for IPSEC. Since you obviously aren't using this software (or isakmp might ring a bell ;) then it leaves three possiblities: 1. New IPSEC Implementation Hole (Old FreeSWAN has some really crappy code in it...) 2. They are looking for another service entirely (some root backdoor port...) 3. You have a dynamic IP, they used to have a n IPSEC tunnell going to who had your IP address last. Their peer changed addresses but they never updated their configuration files. This could also be a user of PGPNET mistyping the remote peer address or even a misconfigured routing device with VPN capabilities. -HD http://www.digitaloffense.net "Ralf G. R. Bergs" wrote:
Hi there, can anybody shed some light on what appears to be a scan to me? Sep 1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53) Sep 1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17
[ snip ]
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53) Sep 1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17 61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53) I couldn't find any meaningful info about port 500 (meaningful to me, that is, since "isakmp" doesn't ring a bell...)
Current thread:
- Scans(?) 500->500 from China Ralf G. R. Bergs (Sep 01)
- Re: Scans(?) 500->500 from China azimuth (Sep 02)
- Re: Scans(?) 500->500 from China Magus Ba'al (Sep 02)
- Re: Scans(?) 500->500 from China Max (Sep 03)
- Re: Scans(?) 500->500 from China H D Moore (Sep 03)