Security Incidents mailing list archives

Re: Scans(?) 500->500 from China

From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sat, 2 Sep 2000 13:47:42 -0500

Hi,

It looks like someone was trying to access the key negotiation daemon
for IPSEC.  Since you obviously aren't using this software (or isakmp
might ring a bell ;) then it leaves three possiblities:

1. New IPSEC Implementation Hole (Old FreeSWAN has some really crappy
code in it...)
2. They are looking for another service entirely (some root backdoor
port...)
3. You have a dynamic IP, they used to have a n IPSEC tunnell going to
who had your IP address last.  Their peer changed addresses but they
never updated their configuration files.  This could also be a user of
PGPNET mistyping the remote peer address or even a misconfigured routing
device with VPN capabilities.

-HD

http://www.digitaloffense.net



"Ralf G. R. Bergs" wrote:


Hi there,

can anybody shed some light on what appears to be a scan to me?

Sep  1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53)
Sep  1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17

[ snip ]

61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53)
Sep  1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53)

I couldn't find any meaningful info about port 500 (meaningful to me, that
is, since "isakmp" doesn't ring a bell...)

Current thread:

Scans(?) 500->500 from China Ralf G. R. Bergs (Sep 01)
- Re: Scans(?) 500->500 from China azimuth (Sep 02)
- Re: Scans(?) 500->500 from China Magus Ba'al (Sep 02)
  - Re: Scans(?) 500->500 from China Max (Sep 03)
- Re: Scans(?) 500->500 from China H D Moore (Sep 03)