Port Scan Info???
Results 1 to 7 of 7

Thread: Port Scan Info???

  1. #1
    Junior Member
    Join Date
    Aug 2002
    Posts
    14

    Port Scan Info???

    I was wondering if anyone had some example syslogs where a port scan was detected?

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Sure....for this example i have portscanned my computer from a remote machine, and this is what my firewall logs tell me

    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23727 DF PROTO=TCP SPT=1359 DPT=39 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23728 DF PROTO=TCP SPT=1360 DPT=40 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23729 DF PROTO=TCP SPT=1362 DPT=42 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23730 DF PROTO=TCP SPT=1363 DPT=43 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23731 DF PROTO=TCP SPT=1364 DPT=44 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23732 DF PROTO=TCP SPT=1365 DPT=45 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23733 DF PROTO=TCP SPT=1361 DPT=41 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23734 DF PROTO=TCP SPT=1370 DPT=50 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23735 DF PROTO=TCP SPT=1366 DPT=46 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23736 DF PROTO=TCP SPT=1367 DPT=47 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23737 DF PROTO=TCP SPT=1368 DPT=48 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23738 DF PROTO=TCP SPT=1369 DPT=49 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23739 DF PROTO=TCP SPT=1371 DPT=51 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23740 DF PROTO=TCP SPT=1372 DPT=52 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23741 DF PROTO=TCP SPT=1373 DPT=53 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23742 DF PROTO=TCP SPT=1374 DPT=54 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23743 DF PROTO=TCP SPT=1375 DPT=55 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23744 DF PROTO=TCP SPT=1378 DPT=58 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23745 DF PROTO=TCP SPT=1379 DPT=59 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23746 DF PROTO=TCP SPT=1380 DPT=60 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23747 DF PROTO=TCP SPT=1376 DPT=56 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23748 DF PROTO=TCP SPT=1377 DPT=57 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23749 DF PROTO=TCP SPT=1381 DPT=61 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23750 DF PROTO=TCP SPT=1382 DPT=62 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23751 DF PROTO=TCP SPT=1383 DPT=63 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23752 DF PROTO=TCP SPT=1384 DPT=64 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
    Feb 10 10:18:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:e0:98:9f:b6:81:00:50:bf:2b:65:e0:08:00 SRC=192.168.20.11 DST=192.168.20.17 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=23753 DF PROTO=TCP SPT=1385 DPT=65 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)


    This is just a short copy/paste from my logs, the real logs were like 10 pages long, but it should be enough for you too get the idea. My firewall is set to "drop" all icmp packets, so in this situation, my firewall shows me that it has dropped the packets comming from 192.168.20.11 , to my computer on 192.168.20.17 . it also tells me on which interface the attack came in on (eth0 - etherenet card 1) aswell as the infformation that it was a SYN scan (the attack wished to synchronize with me, thats part of the 3 way handshake, syn, ack, fin), along with the time and date. Also i forgot to mention, the DPT= are the destination ports it tried to scan. So this info is enough for me to tell that i have been portscanned.

    Hope this helps you.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    Junior Member
    Join Date
    Aug 2002
    Posts
    14
    I'm assuming the DPT means destination port?? If so.. how come the ports seem to go like.. 50, 51,52,53,54 and then skip... Doesn't the port scan go through all the ports in order???

    OH and thank you for your reply.

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    That depends on how you scan. I usually scan interesting ports first, and not just from 1 - whatever. Or i use random port scans, which just scans randomly. That depends on the person who is scanning. And yes, DPT means destination ports. I did not post the entire logfile results (10 pages in like 30 seconds). Its just 1 page that i copied/pasted.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    not to butt into the conversation here, but a skilled attacker will scan politely and in small spaced out intervals (possibly from multiple machines, or flooded with spoofs)... maybe some one could explain some techniques on how to discover/find these kinds of scans (those with a bit more thought put into them) ??? just a thought. anyway-

    [edit]
    example: like with a spoofed scan, you could count the hops (try and match up the real IP, against all the spoofed ones, etc...)
    [/edit]

    -take it easy
    yeah, I\'m gonna need that by friday...

  6. #6
    Junior Member
    Join Date
    Feb 2003
    Posts
    3
    Yeah Tampa - a scan in series like that would set off alarms. A skilled hacker will use small steps as you mentioned about will occur:


    perform simple ping tests to tell whether a remote computer is alive
    resolve hostnames into IP addresses and reverse lookup IP addresses into hostnames
    attempt to connect to other computers on a TCP network to see what services they are running
    read responses from connected hosts
    scan from a range of addresses and ports
    scan from a list of ports
    scan from selected ports from a list

    Attacks may vary to DDOS [read - sites like www.grc.com] Grc links will explain what each ports are used for from netbios to Sub7 ports to DoomsDay.

    Peace

  7. #7
    Junior Member
    Join Date
    Aug 2002
    Posts
    14
    I'm not sure how to ask this w/o looking like a dweeb.. but I'm a newbie to the security world so I think I'll risk it...


    What would I look for when looking for a port scan in Unix environment that uses Cisco routers...

    how would my syslog look during a portscan? Would I just see denies from a certain IP address because of the ACL's??? Would it use a certain protocol(UDP or TCP)?

    Thanks in advance.....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •