Firewalking?

[Tiger Shark]

So, yesterday I started running a new service on an external "sniffer". It picks up on SYN's only.... Looking at the log I today I see _lots_ of SYNs from a single IP..... So I take a look around.... Interesting.... The firewall reports a single machine making outbound requests on port 80 between 1 and 4 times per minute for a minute, then waiting and seemingly random time and trying again.... The interesting thing is that immediately after the outbound port 80 request to the remote IP the remote IP tries an inbound SYN on a high port that is blocked by the firewall. The local and remote complete the three-way and then the remote attempts the inbound..... After an undeterminable amount of time, (I haven't had time to look.... ), the inbound attempted port changes. But it only started at 16:09 local and I started the service 3 hours before....

Unfortunately, I don't control the computer that is doing this.... So I called the admin and asked for domain admin username/password and local admin/password combinations.... Got both and neither work! A tad worrying....

I have blocked the remote at the firewall, told the admin to relax and get drunk for the weekend and I'll call her on monday...... Not to mess with the machine, disconnect it or turn it off.....

So... The question is.... Is there something on that machine that is contacting, through an unblockable port, a machine that will then test the firewall rules back trying to find a hole..... It looks like it to me..... But I might just be being a moron......

Anyone have any experirnce with this or is it simple spyware?

[Nokia]

It is certainly very suspisious, do you have any software installed that would behave like this?

Have you checked to see who the ip belongs to that it is trying to connect with?

[slarty]

Originally posted here by Tiger Shark
[B]So, yesterday I started running a new service on an external "sniffer". It picks up on SYN's only.... Looking at the log I today I see _lots_ of SYNs from a single IP..... So I take a look around.... Interesting.... The firewall reports a single machine making outbound requests on port 80

A single external host making outbound connections from *its* port 80?

I take it when you said "It picks up on SYN's only" you did mean
"It picks up only packets with the SYN flag set and the ACK flag clear" ?

Because if they are SYN|ACK packets, I'm not surprised; someone on your network is browsing the web? Shocking behaviour which should be blocked at the firewall immediately

Seriously though, you really want to be more specific. Ideally post sanitised logs (change IPs into private address space)

Slarty

[Tiger Shark]

Slarty: My apologies, I miscommunicated.... Yes, you are right... Some moron has probably left their browser open on a page that keeps pulling Ads from the site it's on. That's not particularly astounding I agree.... . It's what follows from the remote host that I haven't seen before. In the text below the following represent the machines in question:-

1. 192.168.1.1 = My Firewall
2. 192.168.1.2 = My internal client
3. 10.0.0.1 = remote host.

15:30:09 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3772 80 syn
15:30:09 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 43372 3765 syn
15:30:12 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 43372 3765 syn
15:40:12 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3776 80 syn
15:40:12 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 44899 3765 syn
15:40:15 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 44899 3765 syn
15:50:16 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3780 80 syn
15:50:16 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 47313 3765 syn
15:50:19 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 47313 3765 syn
16:00:19 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3790 80 syn
16:00:19 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 48540 3765 syn
16:00:22 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 48540 3765 syn
16:10:22 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3806 80 syn
16:10:22 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 49954 3765 syn
16:10:25 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 49954 3765 syn
16:20:26 : allow out eth1:9 48 tcp 20 125 192.168.1.2 10.0.0.1 3820 80 syn
16:20:26 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 52041 3765 syn
16:20:29 : deny in eth0 60 tcp 20 47 10.0.0.1 192.168.1.1 52041 3765 syn

This is my firewall log since it demonstrates it better then the other tool because that is filtered not to show connections from my internal network. You will notice that this log also only shows the SYN packets but that's ok..... As you can see my internal machine requests HTTP every 10 minutes, (that's fair), and an Ethereal dump of the activity shows a normal sequence of events for a clients pulling remote host content - (a CGI script). However, if you look at the "deny in"s the remote machine attempts a connection on an unassociated port, (the last number before the 'syn" on each line), immediately and then 3 seconds later then gives up. It doesn't show it here but the unassociated port changes over time, It has been down in the 2140's and all the way up in the 27000's.

This looks to me like some kind of scan-back trying to see if the firewall will allow a connection back into my network.... But that might just be the crusty, suspicious old fart in me....

Any thoughts as to why an apparent host of simple HTTP content across the internet would try to make any other communication with it's clients other than to complete the transaction with it's client and move on to "bigger and better things"?

[nihil]

Hi Tiger,

Not my area of expertise, as I am sure you know But I do get drunk with people who are responsible for this sort of thing, and they do share with me.

I remember an incident where a user had surfed a website (non-work related) and had checked the box for updates. OK a lot just send you an e-mail, for this very reason! This one was "clever" and did not.

Her machine would wait about 5 minutes (from boot) then go to the website to see if there was an update, the responding machine would come back and get blocked at the firewall. I guess that its autorespond software was programmed to handle "busy" connections, so it would try a couple of similar ports (high numbers as I recall, but it was some time ago).

We suspected that whatever was doing the "phone home" stuff was driven by a time/date parameter AND a system activity parameter, which made it seem kind of random? Unfortunately my buddies just reformatted and re-installed, so I never got to look at what it was

So, you might have some sort of trojan/malware, or it could be relatively innocent? I would suggest that you open a "pink file" for that User and stamp it K.O.S (kill on sight). Seriously though, this is where software audits and keyloggers come to mind

Sorry, not much help here, but I thought you might be interested in the experience?

Cheers

[Tiger Shark]

Nihil: Thanks for the info.... born in mind.....

I guess that it is as big of an anathema to others as it is to myself at this point..... I'll look harder tomorrow when I can get physical access...... Right now the remote is blocked at the firewall indefinitely.....