-
February 25th, 2005, 09:58 PM
#1
discards
usually i just ignore disgard syslog messages but these are so redundant and going on for such a long time i figure i should find out more about them.
these are sent from a remote watchguard soho6 client. does anyone have any idea what they are? TIA.
2005-02-24 18:26:28 Local0.Warning 192.168.27.1 IP: discard from 70.21.162.105 port 1306 to 70.21.236.75 port 445 TCP SYN (default)
2005-02-24 18:26:29 Local0.Warning 192.168.17.1 IP: discard from 81.244.181.48 port 52183 to 68.167.42.2 port 1433 TCP SYN (default)
2005-02-24 18:29:40 Local0.Warning 192.168.31.1 IP: discard from 70.21.156.139 port 2240 to 70.21.143.248 port 139 TCP SYN (default)
2005-02-24 18:38:39 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2853 to 68.167.42.2 port 1025 TCP SYN (default)
2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)
2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2887 to 68.167.42.2 port 1433 TCP SYN (default)
2005-02-24 18:38:42 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
2005-02-24 18:38:42 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
2005-02-24 18:38:44 Local7.Debug ECH_LCOS Rule 'Local Security Authority System Service': Permitted: Out UDP, localhost:3834->mail.athena.com [10.0.0.20:88], Owner: C:\WINNT\SYSTEM32\LSASS.EXE
2005-02-24 18:38:44 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2887 to 68.167.42.2 port 1433 TCP SYN (default)
2005-02-24 18:38:44 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)
2005-02-24 18:38:46 Local7.Debug ECH_LCOS Rule 'Local Security Authority System Service': Permitted: In UDP, mail.athena.com [10.0.0.20:88]->localhost:3834, Owner: C:\WINNT\SYSTEM32\LSASS.EXE
2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2853 to 68.167.42.2 port 1025 TCP SYN (default)
2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)
edit: sorry ive been going threw log files all day and guess im burnt out. the second ip was the ext interface :-[
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 25th, 2005, 10:01 PM
#2
Maybe victim of nmap idle scan ?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 25th, 2005, 10:05 PM
#3
those look like timewarner IP addresses to me, perhaps you should contact them? but ti does look like some type of portscan or IP scan.
-
February 25th, 2005, 10:06 PM
#4
Are you saying that you have a SOHO out there sending you this?
It looks more like it's a misconfigured software firewall somewhere because a hardware firewall wouldn't know about LSASS.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 25th, 2005, 10:13 PM
#5
sorry TS i didnt notice that entry. that should not be included only the discards. good eye though. that entry is from an old version of tiny, configured to allow everything (broken down in different catagorys by rule name), log everything and send the messages to my syslogd.
but yes the rest come from my soho, configured under syslog settings to send to me.
TS i still have to spread my points around.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 25th, 2005, 10:50 PM
#6
BTW, the reason I leaned towards the idle scan (which its kind of hard for me to tell given that I don't know how your network is setup and I don't know what your public IP would be), is that it looks pretty obvious to me that one side of that conversation is being scanned. However, now that I think about it, those connections are SYN and if it was an idle scan, you'd be seeing SYN-ACK or RST. I still think it is some kind of scan though (fast connection times, hitting certain ports only (ie, none bs ports like 5 or 6).
Is that LAN IP running an FTP server? Do you do anti-spoofing ingress/egress filtering ?
How many other pc's on the network? Do you control them all ?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 26th, 2005, 12:03 AM
#7
Couple of questions:-
Is the dest netblock even close you yours on the predominant target?
It's a limited scan with regard to the ports scanned... That often seems to indicate that the ports may have been open in the past..... Databases are out there with open port information.... I know the ports are normally blocked but is it possible they leaked in the past?
It's a fairly quick scan except for the inconsistent first few entries so it appears automated against the 68.167.42.2 address and the source remians the same during that scan. Have you searched the logs for the source address historically, if so, what were the results? Don't post them just indicate if they exist from that source.... It might indicate a "long, slow" scan....
Any other pertinent info you can think of without posting identifyable information?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 26th, 2005, 01:22 AM
#8
off hand based on the ports looks like a SASSER variant searching for new victims
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
March 5th, 2005, 10:01 AM
#9
If I were seeing those on my logs my first thought would be I was being scanned continuously - I only saw SYN in the loggings and the ACKs and RSTs were missing - just my 2 cents.
*EDIT* apologies - I just reread this thread and responses and saw Nebulus's post */EDIT*
"In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily
-
March 5th, 2005, 01:49 PM
#10
Well, interestingly if it's not nmap (limited port scanning since it only appears to do 135, 139, 445, 1433) then it might be ExecuBot.B or some other bot variant?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|