Port scanning concern

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Port scanning concern

Jason P.
Hi folks.

These days I've been noticing port scanning attempts in my UFW log that
I can barely understand.

First, I'm behind the router's firewall and this is supposed to protect
me from the outside.

Second and more strange is that the attacker's ip is Medibuntu's repo one.


[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45681 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45682 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45683 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45684 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45685 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45686 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45687 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45688 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45689 WINDOW=0 RES=0x00 RST URGP=0

[UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0


I don't want to seem paranoid, but although I'm not 100% sure, I believe
some time ago I installed an unsigned package from there. I'd appreciate
your help so I could sleep better hehe.


Thanks to all!

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

Tony Arnold-3
Jason,

I presume the DST=local_ip shows as a real local IP address behind your
router (e.g., 192.168.1.27)? And that you do not have any port
forwarding on your router thaty could be relevant?

It looks to me like return traffic from outgoing connections to
88.191.127.22. The outgoing connection would be http so it would connect
on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
a random high number destination port (DST).

UFW should allow such return traffic if it's set up iptables correctly.

Do these log entries correspond to a time of day when your system may be
looking for updates?

Regards,
Tony.

On 25/11/12 15:31, Jason P. wrote:

> Hi folks.
>
> These days I've been noticing port scanning attempts in my UFW log that
> I can barely understand.
>
> First, I'm behind the router's firewall and this is supposed to protect
> me from the outside.
>
> Second and more strange is that the attacker's ip is Medibuntu's repo one.
>
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45681 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45682 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45683 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45684 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45685 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45686 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45687 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45688 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45689 WINDOW=0 RES=0x00 RST URGP=0
>
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
>
>
> I don't want to seem paranoid, but although I'm not 100% sure, I believe
> some time ago I installed an unsigned package from there. I'd appreciate
> your help so I could sleep better hehe.
>
>
> Thanks to all!
>

--
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: [hidden email]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

Jason P.
El 25/11/12 17:35, Tony Arnold escribió:
> Jason,
>
> I presume the DST=local_ip shows as a real local IP address behind your
> router (e.g., 192.168.1.27)? And that you do not have any port
> forwarding on your router thaty could be relevant?
>

You're right. local_ip is a real LAN IP adress. Port forwarding is
irrelevant here.

> It looks to me like return traffic from outgoing connections to
> 88.191.127.22. The outgoing connection would be http so it would connect
> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
> a random high number destination port (DST).
>

Does it make sense trying to connect in sequence apparently to random
ports? Other days port numbers are different, but always consecutives.
Normally 10 in a row or so.

> UFW should allow such return traffic if it's set up iptables correctly.
>
> Do these log entries correspond to a time of day when your system may be
> looking for updates?
>

Maybe. I should check it. Thanks for the tip.

> Regards,
> Tony.
>
> On 25/11/12 15:31, Jason P. wrote:
>> Hi folks.
>>
>> These days I've been noticing port scanning attempts in my UFW log that
>> I can barely understand.
>>
>> First, I'm behind the router's firewall and this is supposed to protect
>> me from the outside.
>>
>> Second and more strange is that the attacker's ip is Medibuntu's repo one.
>>
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45681 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45682 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45683 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45684 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45685 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45686 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45687 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45688 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45689 WINDOW=0 RES=0x00 RST URGP=0
>>
>> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
>> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
>>
>>
>> I don't want to seem paranoid, but although I'm not 100% sure, I believe
>> some time ago I installed an unsigned package from there. I'd appreciate
>> your help so I could sleep better hehe.
>>
>>
>> Thanks to all!
>>
>


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

Tony Arnold-3
Jason,

On 25/11/12 17:06, Jason P. wrote:

> El 25/11/12 17:35, Tony Arnold escribió:
>> Jason,
>>
>> I presume the DST=local_ip shows as a real local IP address behind your
>> router (e.g., 192.168.1.27)? And that you do not have any port
>> forwarding on your router thaty could be relevant?
>>
>
> You're right. local_ip is a real LAN IP adress. Port forwarding is
> irrelevant here.
>
>> It looks to me like return traffic from outgoing connections to
>> 88.191.127.22. The outgoing connection would be http so it would connect
>> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
>> a random high number destination port (DST).
>>
>
> Does it make sense trying to connect in sequence apparently to random
> ports? Other days port numbers are different, but always consecutives.
> Normally 10 in a row or so.

Quite possibly. Each outgoing connection would have a destination port
of 80 and a source port of some high number random port. Consecutive
connections could well use consecutive ports, thus the return traffic
would have consecutive destination ports as you are seeing.

It's also unlike that any malware would be scanning your machine with a
source port of 80! Besides, such scanning should not get through your
router.

It looks to me like UFW has not set up iptables properly.

>> UFW should allow such return traffic if it's set up iptables correctly.
>>
>> Do these log entries correspond to a time of day when your system may be
>> looking for updates?
>>
>
> Maybe. I should check it. Thanks for the tip.

That would help.

Regards,
Tony.
--
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: [hidden email]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

Jason P.
El 25/11/12 18:51, Tony Arnold escribió:

> Jason,
>
> On 25/11/12 17:06, Jason P. wrote:
>> El 25/11/12 17:35, Tony Arnold escribió:
>>> Jason,
>>>
>>> I presume the DST=local_ip shows as a real local IP address behind your
>>> router (e.g., 192.168.1.27)? And that you do not have any port
>>> forwarding on your router thaty could be relevant?
>>>
>>
>> You're right. local_ip is a real LAN IP adress. Port forwarding is
>> irrelevant here.
>>
>>> It looks to me like return traffic from outgoing connections to
>>> 88.191.127.22. The outgoing connection would be http so it would connect
>>> on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
>>> a random high number destination port (DST).
>>>
>>
>> Does it make sense trying to connect in sequence apparently to random
>> ports? Other days port numbers are different, but always consecutives.
>> Normally 10 in a row or so.
>
> Quite possibly. Each outgoing connection would have a destination port
> of 80 and a source port of some high number random port. Consecutive
> connections could well use consecutive ports, thus the return traffic
> would have consecutive destination ports as you are seeing.
>
> It's also unlike that any malware would be scanning your machine with a
> source port of 80! Besides, such scanning should not get through your
> router.
>
> It looks to me like UFW has not set up iptables properly.
>
>>> UFW should allow such return traffic if it's set up iptables correctly.
>>>
>>> Do these log entries correspond to a time of day when your system may be
>>> looking for updates?
>>>
>>
>> Maybe. I should check it. Thanks for the tip.
>
> That would help.
>
> Regards,
> Tony.
>

Thanks, I'll rest better ;)



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

gene heskett-4
In reply to this post by Tony Arnold-3
On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:

> Jason,
>
> On 25/11/12 17:06, Jason P. wrote:
> > El 25/11/12 17:35, Tony Arnold escribiأ³:
> >> Jason,
> >>
> >> I presume the DST=local_ip shows as a real local IP address behind
> >> your router (e.g., 192.168.1.27)? And that you do not have any port
> >> forwarding on your router thaty could be relevant?
> >
> > You're right. local_ip is a real LAN IP adress. Port forwarding is
> > irrelevant here.
> >
> >> It looks to me like return traffic from outgoing connections to
> >> 88.191.127.22. The outgoing connection would be http so it would
> >> connect on port 80/tcp. Return traffic would have a source port
> >> (SPT) of 80 and a random high number destination port (DST).
> >
> > Does it make sense trying to connect in sequence apparently to random
> > ports? Other days port numbers are different, but always consecutives.
> > Normally 10 in a row or so.
>
> Quite possibly. Each outgoing connection would have a destination port
> of 80 and a source port of some high number random port. Consecutive
> connections could well use consecutive ports, thus the return traffic
> would have consecutive destination ports as you are seeing.
>
> It's also unlike that any malware would be scanning your machine with a
> source port of 80! Besides, such scanning should not get through your
> router.
 
Slight correction here, incoming port 80 would not get past his ISP. I've
had several internet providers over the last 20 years, and even in 2400
baud dialup days no incoming port 80 gets past the ISP so they're forcing
the conventional folks to use their web server farm, which of course loads
YOUR web page up with THEIR advertising.

> It looks to me like UFW has not set up iptables properly.
>
> >> UFW should allow such return traffic if it's set up iptables
> >> correctly.
> >>
> >> Do these log entries correspond to a time of day when your system may
> >> be looking for updates?
> >
> > Maybe. I should check it. Thanks for the tip.
>
> That would help.
>
> Regards,
> Tony.

Regarding routers, DD-WRT, installed on a router with enough resources, has
been bullet proof against the black hat attacks here for several years.
Sitting on a cable modem, they are there by the kajillians, but watching
the logs long ago grew boring.

Cheers, Gene
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
Bershere's Formula for Failure:
        There are only two kinds of people who fail: those who
        listen to nobody... and those who listen to everybody.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

iceblink
On 2012-11-25 21:03, Gene Heskett wrote:

> On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:
>
>> Jason,
>>
>> On 25/11/12 17:06, Jason P. wrote:
>> > El 25/11/12 17:35, Tony Arnold escribiأ³:
>> >> Jason,
>> >>
>> >> I presume the DST=local_ip shows as a real local IP address
>> behind
>> >> your router (e.g., 192.168.1.27)? And that you do not have any
>> port
>> >> forwarding on your router thaty could be relevant?
>> >
>> > You're right. local_ip is a real LAN IP adress. Port forwarding is
>> > irrelevant here.
>> >
>> >> It looks to me like return traffic from outgoing connections to
>> >> 88.191.127.22. The outgoing connection would be http so it would
>> >> connect on port 80/tcp. Return traffic would have a source port
>> >> (SPT) of 80 and a random high number destination port (DST).
>> >
>> > Does it make sense trying to connect in sequence apparently to
>> random
>> > ports? Other days port numbers are different, but always
>> consecutives.
>> > Normally 10 in a row or so.
>>
>> Quite possibly. Each outgoing connection would have a destination
>> port
>> of 80 and a source port of some high number random port. Consecutive
>> connections could well use consecutive ports, thus the return
>> traffic
>> would have consecutive destination ports as you are seeing.
>>
>> It's also unlike that any malware would be scanning your machine
>> with a
>> source port of 80! Besides, such scanning should not get through
>> your
>> router.
>
> Slight correction here, incoming port 80 would not get past his ISP.
> I've
> had several internet providers over the last 20 years, and even in
> 2400
> baud dialup days no incoming port 80 gets past the ISP so they're
> forcing
> the conventional folks to use their web server farm, which of course
> loads
> YOUR web page up with THEIR advertising.
>
Maybe in your location. Over here all providers allow you to have your
own server at home doing whatever you want to do, on whatever port you
like. They just limit the uploading bandwidth or data usage (or both).


Best regards,
Patrick Asselman



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Port scanning concern

gene heskett-4
On Monday 26 November 2012 02:57:23 Patrick Asselman did opine:

> On 2012-11-25 21:03, Gene Heskett wrote:
> > On Sunday 25 November 2012 13:48:36 Tony Arnold did opine:
> >> Jason,
> >>
> >> On 25/11/12 17:06, Jason P. wrote:
> >> > El 25/11/12 17:35, Tony Arnold escribiط£آ³:
> >> >> Jason,
> >> >>
> >> >> I presume the DST=local_ip shows as a real local IP address
> >>
> >> behind
> >>
> >> >> your router (e.g., 192.168.1.27)? And that you do not have any
> >>
> >> port
> >>
> >> >> forwarding on your router thaty could be relevant?
> >> >
> >> > You're right. local_ip is a real LAN IP adress. Port forwarding is
> >> > irrelevant here.
> >> >
> >> >> It looks to me like return traffic from outgoing connections to
> >> >> 88.191.127.22. The outgoing connection would be http so it would
> >> >> connect on port 80/tcp. Return traffic would have a source port
> >> >> (SPT) of 80 and a random high number destination port (DST).
> >> >
> >> > Does it make sense trying to connect in sequence apparently to
> >>
> >> random
> >>
> >> > ports? Other days port numbers are different, but always
> >>
> >> consecutives.
> >>
> >> > Normally 10 in a row or so.
> >>
> >> Quite possibly. Each outgoing connection would have a destination
> >> port
> >> of 80 and a source port of some high number random port. Consecutive
> >> connections could well use consecutive ports, thus the return
> >> traffic
> >> would have consecutive destination ports as you are seeing.
> >>
> >> It's also unlike that any malware would be scanning your machine
> >> with a
> >> source port of 80! Besides, such scanning should not get through
> >> your
> >> router.
> >
> > Slight correction here, incoming port 80 would not get past his ISP.
> > I've
> > had several internet providers over the last 20 years, and even in
> > 2400
> > baud dialup days no incoming port 80 gets past the ISP so they're
> > forcing
> > the conventional folks to use their web server farm, which of course
> > loads
> > YOUR web page up with THEIR advertising.
>
> Maybe in your location.

This is the US, with its toothless FCC, who are, and have been for 35
years, for sale to the highest bidder as far as the telecoms are concerned.
Heck, I've had a 1st Phone ticket since '62, but they sold us down the
river about 30 years back & no one at the commission today even knows what
a 1st Phone was.  I am also a C.E.T., a considerably harder test, so when I
want to impress the frogs, that is the card I flip out.

> Over here all providers allow you to have your
> own server at home doing whatever you want to do, on whatever port you
> like. They just limit the uploading bandwidth or data usage (or both).

Which is why if you check the sig, its not on port 80.  No advertising,
just me, blowing my own horn basically.  I should smunch that picture so it
loads faster, but its been there since mid 2004 without many complaints.
 
> Best regards,
> Patrick Asselman


Cheers Patrick, Gene
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene> is up!
Stupidity got us into this mess -- why can't it get us out?

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users