Security Incidents mailing list archives
Re: Reverse http traffic
From: "James C. Slora Jr." <Jim.Slora () phra com>
Date: Wed, 31 Dec 2003 07:11:58 -0500
Daniel H. Renner wrote Tuesday, December 30, 2003 6:09 PM
I checked the firewall logs and saw quite a few attempts from a Google IP address (whois-ed, but I'm not ignoring that it was possibly spoofed) that was sending IN traffic with a source port of 80 and a destination port in the temporary range (33xx) - eh???
Which firewall logs and what time frame? The Linksys before the
switchout,
the Linux-based firewall after the switchout, or something else?
My appologies, since I never considered the Linksys/DLink/etc. routers to be firewalls I've not addressed them as such - but I see others do (remind self that other's terminologies must be used when talking to them... :)
Linksys calls it a firewall feature, and it has logs - but not everyone agrees to call it that. Thanks for clarifying.
The firewall in question is an IPCop machine (this is a fork of the Smoothwall firewall project - www.ipcop.org) with no DHCP server, port-forwarding or HTTP proxy running - just a plain brown box... The incomings I saw were within approx. a 1-minute timeframe.
So what is serving DHCP at this point?
A lot of things could cause incoming 80 -> 33xx traffic, most of them benign. Do you have any packet captures with flags and ACKs, etc? Were
the
mystery packets directed to the problem machine or to the router
address?
Can you give more details about which machines have private addresses
and
which have public Internet addresses? Was the Linksys firmware up to
rev?
Unfortunately I am still enough of a Linux newbie that I have not figured out how to add a sniffer into IPCop (I could install ntop though...) but according to the firewall logs the traffic was pointed to the external NIC on the IPCop computer specifically which is the only public IP address on the LAN. All others are behind the IPCop's internal/private IP addressed NIC, and there is no DMZ NIC on the system, nor is it setup software-wise for one at the moment.
Also, all 6 updates of IPCop had been performed on the machine before installation.
If what could cause this sort of traffic is "mostly benign" then I'll have my goose-pimples set to "chill" - if not, then I'm still in "Eh?" mode...
It's probably best to stay in investigative mode and learn some more about the traffic before judging either way. Check outbound logs to see if there is any traffic that is obviously related to your mystery traffic by time or address. Sniff full packets with tethereal or ntop or whatever from a trusted machine. Obfuscate your IP address in a text copy of the packets that concern you and post a few to the list. Check open ports on the suspect PC with nMap or another scanner from a trusted box, and run FPort or TCPView on the suspect machine itself to identify processes that have opened ports. Delete or obfuscate information you do not wish to share, and post the remainder to the list. You could also Google the IP address that is the source of your unexplained traffic to see if anyone else might have posted comments about it, and look it up at http://www.dshield.org/ipinfo.php to see if other people have reported problems from that IP. The packets themselves may contain Googlable information - see if there is something in common between the packets other than source and destination. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Reverse http traffic Daniel H. Renner (Dec 30)
- RE: Reverse http traffic Jarrod Frates (Dec 30)
- RE: Reverse http traffic Jim Butterworth (Dec 30)
- <Possible follow-ups>
- Re: Reverse http traffic James C. Slora Jr. (Dec 31)
- RE: Reverse http traffic Jarrod Frates (Dec 30)