Results 1 to 10 of 10

Thread: discards

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785

    discards

    usually i just ignore disgard syslog messages but these are so redundant and going on for such a long time i figure i should find out more about them.

    these are sent from a remote watchguard soho6 client. does anyone have any idea what they are? TIA.

    2005-02-24 18:26:28 Local0.Warning 192.168.27.1 IP: discard from 70.21.162.105 port 1306 to 70.21.236.75 port 445 TCP SYN (default)
    2005-02-24 18:26:29 Local0.Warning 192.168.17.1 IP: discard from 81.244.181.48 port 52183 to 68.167.42.2 port 1433 TCP SYN (default)

    2005-02-24 18:29:40 Local0.Warning 192.168.31.1 IP: discard from 70.21.156.139 port 2240 to 70.21.143.248 port 139 TCP SYN (default)

    2005-02-24 18:38:39 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
    2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
    2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2853 to 68.167.42.2 port 1025 TCP SYN (default)
    2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)
    2005-02-24 18:38:41 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2887 to 68.167.42.2 port 1433 TCP SYN (default)
    2005-02-24 18:38:42 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
    2005-02-24 18:38:42 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
    2005-02-24 18:38:44 Local7.Debug ECH_LCOS Rule 'Local Security Authority System Service': Permitted: Out UDP, localhost:3834->mail.athena.com [10.0.0.20:88], Owner: C:\WINNT\SYSTEM32\LSASS.EXE
    2005-02-24 18:38:44 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2887 to 68.167.42.2 port 1433 TCP SYN (default)
    2005-02-24 18:38:44 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)
    2005-02-24 18:38:46 Local7.Debug ECH_LCOS Rule 'Local Security Authority System Service': Permitted: In UDP, mail.athena.com [10.0.0.20:88]->localhost:3834, Owner: C:\WINNT\SYSTEM32\LSASS.EXE
    2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2853 to 68.167.42.2 port 1025 TCP SYN (default)
    2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2852 to 68.167.42.2 port 135 TCP SYN (default)
    2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2879 to 68.167.42.2 port 445 TCP SYN (default)
    2005-02-24 18:38:49 Local0.Warning 192.168.17.1 IP: discard from 68.167.80.172 port 2883 to 68.167.42.2 port 139 TCP SYN (default)

    edit: sorry ive been going threw log files all day and guess im burnt out. the second ip was the ext interface :-[
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Maybe victim of nmap idle scan ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    those look like timewarner IP addresses to me, perhaps you should contact them? but ti does look like some type of portscan or IP scan.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Are you saying that you have a SOHO out there sending you this?

    It looks more like it's a misconfigured software firewall somewhere because a hardware firewall wouldn't know about LSASS.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    sorry TS i didnt notice that entry. that should not be included only the discards. good eye though. that entry is from an old version of tiny, configured to allow everything (broken down in different catagorys by rule name), log everything and send the messages to my syslogd.

    but yes the rest come from my soho, configured under syslog settings to send to me.


    TS i still have to spread my points around.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    BTW, the reason I leaned towards the idle scan (which its kind of hard for me to tell given that I don't know how your network is setup and I don't know what your public IP would be), is that it looks pretty obvious to me that one side of that conversation is being scanned. However, now that I think about it, those connections are SYN and if it was an idle scan, you'd be seeing SYN-ACK or RST. I still think it is some kind of scan though (fast connection times, hitting certain ports only (ie, none bs ports like 5 or 6).

    Is that LAN IP running an FTP server? Do you do anti-spoofing ingress/egress filtering ?

    How many other pc's on the network? Do you control them all ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Couple of questions:-

    Is the dest netblock even close you yours on the predominant target?

    It's a limited scan with regard to the ports scanned... That often seems to indicate that the ports may have been open in the past..... Databases are out there with open port information.... I know the ports are normally blocked but is it possible they leaked in the past?

    It's a fairly quick scan except for the inconsistent first few entries so it appears automated against the 68.167.42.2 address and the source remians the same during that scan. Have you searched the logs for the source address historically, if so, what were the results? Don't post them just indicate if they exist from that source.... It might indicate a "long, slow" scan....

    Any other pertinent info you can think of without posting identifyable information?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    off hand based on the ports looks like a SASSER variant searching for new victims
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    If I were seeing those on my logs my first thought would be I was being scanned continuously - I only saw SYN in the loggings and the ACKs and RSTs were missing - just my 2 cents.

    *EDIT* apologies - I just reread this thread and responses and saw Nebulus's post */EDIT*
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Well, interestingly if it's not nmap (limited port scanning since it only appears to do 135, 139, 445, 1433) then it might be ExecuBot.B or some other bot variant?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •