China attack??? Massive FW Alerts

Printable View

August 13th, 2004, 08:25 AM
cheyenne1212

China attack??? Massive FW Alerts

In the past 30 minutes I have recieved over 80 firewall alerts all coming from the same IP range of 218.13.0.0 - 218.18.255.255

heres a couple alerts.

Quote:

Intrusion: Invalid TCP Flags
Intruder: 218.18.15.17
Risk Level: Medium
Source IP address: 218.18.15.17
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 18362
TCP Flags invalid: 0x00000015

Intrusion: Invalid TCP Flags
Intruder: 218.18.124.3
Risk Level: Medium
Source IP address: 218.18.124.3
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 22010
TCP Flags invalid: 0x00000015.

Those are coming up like crazy, now I'm getting it from poland as well from a 81.0.173.181

After those alerts pop up at a rate of 2-5 at one time then I get these immediately afterwards

Quote:

Intrusion: Invalid Destination IP Address
Intruder: MAIN(208.180.xxx.xxx) <-- My Ip
Risk Level: Low
Source IP address: MAIN(208.180.xx.xxx) <-- My IP
Destination IP address: 0.73.92.61. This IP address is invalid. <-- That IP address changes.
Protocol: TCP.

Have I been rooted?

/edit now the attacks are comign from Amsterdam to
@ 150.145.85.89

These are happening at abotu 20-30 a second
August 13th, 2004, 08:37 AM
Spyder32

Hrmm, no unusual traffic here.. just your usual port probes and whatnot. I would go to your favorite portlist and see what service is running on the port's targetted. I don't think you've been rooted, but 20-30 a second is quite a number. I would block all incoming traffic or something of that nature until you figure out the problem.
August 13th, 2004, 08:39 AM
cheyenne1212

Yeah I'm just trying to figure it out.

After I get the invalid TCP flags, I then get a alert saying my machine is sendind data to a invalid IP on my machine. lol

Also when I said 20-30 a second, I meant 20-30 a minute, but it inceases and decreases I In the past minute I have had 40 alerts.

/edit now its coming from 2 other IP's, same exact warnings. Still at the same rate.

I'm going to bed now, but am going to block all traffic till I wake up in the morning to see whats gong on.
August 13th, 2004, 08:49 AM
Spyder32

Hrmm, so your figuring around 0.8-1.4 attacks per second. As for the services the port's are running, I'm having a hard time finding what exactly they are. Keep me posted on exactly what's going on and if anything changes in the mean time.

EDIT: K, that's smart for now. Sorry, tried my best to help.

EDIT 2: Sorry, but so you know:

Port 22010 is where something called "RealServer" listen's on.
August 13th, 2004, 10:30 AM
instronics

Yeah, it was quiet for a period of weeks now, but it started again. Here in greece im getting a ton of alerts too on my firewall. Also have a look at
http://www.antionline.com/showthread...109#post772109

Cheers.
August 13th, 2004, 05:29 PM
cheyenne1212

Well I just now allowed traffic again, and am still getting quite a few hits, but from a different IP this time.

Quote:

Intrusion: Invalid TCP Flags
Intruder: 201.254.152.137
Risk Level: Medium
Source IP address: 201.254.152.137
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 53787
TCP Flags invalid: 0x00000015.

whats really bothering me though is all the "Invalid Destination IP Address" Going from my computer to my computer

Quote:

Intrusion: Invalid Destination IP Address
Intruder: MAIN(208.180.xx.xx) <-- My IP
Risk Level: Low
Source IP address: MAIN(208.180.xx.xx) <-- My IP
Destination IP address: 0.164.194.58. This IP address is invalid.
Protocol: TCP.

The alerts not going off as much as it was, but it sure was going crazy, now its mostly that invalid destination alert, then about 5-10 of the invalid TCP flags from some other computer.

Seems attacks were coming from
China
Poland
Amsterdam
Carribean

I'm use to beig scanned from different places, but just not quite this much.
August 13th, 2004, 05:55 PM
cacosapo

or someone is preparing to DDos you... and source addresses dont matter (fake crafted packets) :)

Stupid question: your defense (1st level) has source-route and icmp redirection disabled, right?
August 13th, 2004, 06:01 PM
cheyenne1212

My only defence since I'm on a 56k computer at the moment is the Norton firewall, but I do have norto configured to drop ICMP, not sure about source route, but I do know if you scan my computer with languard or nmap it doesn' see it.
August 13th, 2004, 06:10 PM
phishphreek

Are you sure you are just now seeing these?

I've been seeing them for as long as I can remember. I was/am getting so many of them filling my logs that I disabled logging on that port until thing die down a bit. (If ever...)

http://isc.sans.org/port_details.php?port=445
August 13th, 2004, 06:14 PM
cheyenne1212

Yeah just in the past day phish.

It wasn't doing this till about 1. a.m last night.
August 13th, 2004, 06:41 PM
ShagDevil

cheyenne1212, if it makes you feel any better, I've been getting pounded with connection requests to port 445 for at least 2 weeks now. I think I'm averaging about 40-50 requests an hour from IP ranges that follow no observable pattern.
August 13th, 2004, 06:51 PM
cacosapo

NIS use to that on right way. Nothing to worry. maybe just a random attack.

So, your are under attack thru an 56K line?
plug your pc off the line and Get a six pack :)
August 13th, 2004, 08:20 PM
allenb1963

Hey chey....I was getting hammered by Bejing last night too....overzealous skiddie??
August 14th, 2004, 06:24 AM
cheyenne1212

lol

Not really sure allen, seems like a lot of over zealous Hong Kongers, polanders, and netherlanders, at the rate its going, I'll have shrekkie doing a port scan before long on my pc :p. lol

Its 12:30 a.m here now and it seems like its kinda cleared up, Not getting anymore invalid TCP flags, but am still getting quite a few of invalid destination IP address warnings.

Who knows maybe I have a little virus or trojan, I had some program called QBUPSEX.exe trying to get out on the net last night, but I blocked access to it. probably about time for a adawere, spybot and hijack this scan again.

belive me cacosapo I woudl love to get a six pack but being 1 1/2 years from 21 has its drawbacks. lol

/edit found that program that was trying ot get out last night.

Quote:

This one time, the user has chosen to "block" communications
Outbound TCP connection
Remote address,service is (83.155.104.0,microsoft-ds(445))
Process name is "C:\WINDOWS\System32\uqusex.exe"
August 14th, 2004, 06:34 AM
Palemoon

Just took at peek remotly at the system @ work tsiled a couple logs a few minutes looks to me like it is maybe a new varation of the what was it Beagle virus email server is getting hit hard and looks like it scans for open ports you listed looking to install the rest of it's self. But I'm tired already a 12 hour day firewall is blocking and the email is also nixing it as spam...nite will look at the logs after some sleep
August 14th, 2004, 06:35 AM
cheyenne1212

Thats gotta be what it is, I just now got hit from 5 more different IP's in a matter of 30 seconds.
August 16th, 2004, 06:44 AM
cheyenne1212

sorry bout the double post guys but check this out

Quote:

TCP 127.0.0.1:3535 127.0.0.1:1027 CLOSE_WAIT
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING
TCP 208.180.47.112:3022 67.19.14.2:6667 ESTABLISHED
TCP 208.180.47.112:3216 207.46.106.30:1863 ESTABLISHED
TCP 208.180.47.112:8877 0.0.0.0:0 LISTENING
TCP 208.180.47.112:10445 35.210.225.1:445 ESTABLISHED
TCP 208.180.47.112:10915 35.198.58.182:445 ESTABLISHED
TCP 208.180.47.112:10917 35.44.167.243:445 ESTABLISHED
TCP 208.180.47.112:11086 211.118.208.22:445 TIME_WAIT
TCP 208.180.47.112:11145 211.118.208.23:445 TIME_WAIT
TCP 208.180.47.112:11146 208.180.47.47:445 SYN_SENT
TCP 208.180.47.112:11147 81.0.119.182:445 SYN_SENT
TCP 208.180.47.112:11148 81.61.71.5:445 SYN_SENT
TCP 208.180.47.112:11149 81.61.221.0:445 SYN_SENT
TCP 208.180.47.112:11150 81.61.94.9:445 SYN_SENT
TCP 208.180.47.112:11152 211.118.49.102:445 SYN_SENT
TCP 208.180.47.112:11153 211.118.208.24:445 TIME_WAIT
TCP 208.180.47.112:11154 81.61.160.204:445 SYN_SENT
TCP 208.180.47.112:11155 81.61.31.139:445 SYN_SENT
TCP 208.180.47.112:11156 81.61.41.22:445 SYN_SENT
TCP 208.180.47.112:11158 208.180.158.162:445 SYN_SENT
TCP 208.180.47.112:11159 81.61.25.159:445 SYN_SENT
TCP 208.180.47.112:11160 31.228.3.171:445 SYN_SENT
TCP 208.180.47.112:11161 211.118.143.241:445 SYN_SENT
TCP 208.180.47.112:11162 208.180.248.11:445 SYN_SENT
TCP 208.180.47.112:11163 208.180.121.68:445 SYN_SENT
TCP 208.180.47.112:11164 182.50.211.75:445 SYN_SENT
TCP 208.180.47.112:11165 81.0.0.42:445 SYN_SENT
TCP 208.180.47.112:11166 81.0.13.129:445 SYN_SENT
TCP 208.180.47.112:11167 197.11.106.253:445 SYN_SENT
TCP 208.180.47.112:11169 25.220.4.170:445 SYN_SENT
TCP 208.180.47.112:11171 112.222.35.182:445 SYN_SENT
TCP 208.180.47.112:11172 27.179.114.12:445 SYN_SENT
TCP 208.180.47.112:11175 29.114.28.87:445 SYN_SENT
TCP 208.180.47.112:11176 143.80.104.35:445 SYN_SENT
TCP 208.180.47.112:11177 157.231.253.108:445 SYN_SENT
TCP 208.180.47.112:11178 34.8.59.79:445 SYN_SENT
TCP 208.180.47.112:11179 204.165.19.241:445 SYN_SENT
TCP 208.180.47.112:11180 143.52.155.102:445 SYN_SENT
TCP 208.180.47.112:11181 123.254.98.233:445 SYN_SENT
TCP 208.180.47.112:11182 141.25.97.158:445 SYN_SENT
TCP 208.180.47.112:11183 203.194.115.104:445 SYN_SENT
TCP 208.180.47.112:11184 133.21.139.253:445 SYN_SENT
TCP 208.180.47.112:11186 117.181.215.248:445 SYN_SENT
TCP 208.180.47.112:11188 185.204.83.1:445 SYN_SENT
TCP 208.180.47.112:11189 93.216.223.240:445 SYN_SENT
TCP 208.180.47.112:11190 211.220.19.148:445 SYN_SENT
TCP 208.180.47.112:11191 52.33.116.119:445 SYN_SENT
TCP 208.180.47.112:11192 94.109.158.112:445 SYN_SENT
TCP 208.180.47.112:11193 70.229.24.190:445 SYN_SENT
TCP 208.180.47.112:11194 130.157.37.189:445 SYN_SENT
TCP 208.180.47.112:11195 113.80.235.125:445 SYN_SENT
TCP 208.180.47.112:11196 56.209.134.230:445 SYN_SENT
TCP 208.180.47.112:11197 111.249.4.80:445 SYN_SENT
TCP 208.180.47.112:11199 191.55.85.188:445 SYN_SENT
TCP 208.180.47.112:11200 116.210.48.143:445 SYN_SENT

Thats from a netstat -an

Thats a hell of a lot of connections, and the worse part is, that theres anohter 80 IP addresses in ther but on the same port of 445.

wtf is up with that?

Have I been compromised?
August 16th, 2004, 08:05 AM
Spyder32

If you haven't been compromised, you sure did piss off alotta hackers last meeting :D haha, nah but seriously though.. I think you could very well be being targetted and if not that then I would do a SwatIt scan (http://swatit.org) for trojans, run Ad-aware and Hijackthis (for spyware/adware), update all applications versions, check windows update for any patches you might not have (I know there have been quite a few IE patches lately needed to d/l that mentioned compromising system integrity files), and lookup those ports on google and see what service is running on them. Look into the service, if you need it then download latest version/patches/etc if not needed, turn it off/get rid of it.

From what I've gathered for you about Port 445: It run's Microsoft-DS and can be a default or another port for the following viruses/trojans/worms: Lioten, Randon, WORM_DELODER.A, W32/Deloder.A, W32.HLLW.Deloder, Sasser.

My suggestion: All that I mentioned above, but definitely look into some of those trojans/viruses/worms. Check back with added information.
August 16th, 2004, 04:18 PM
cheyenne1212

Yeah I'm about to get a ad-aware scan
spybot
hijack this
swatit
and a different AV scan.

Someithing isn't right somewhere.

I'll let you know if I find something.