Re: Reverse http traffic

["James C. Slora Jr." <Jim.Slora () phra com>]

Daniel H. Renner wrote Tuesday, December 30, 2003 6:09 PM

> > > I checked the firewall logs and saw quite a few attempts from
> > > a Google IP address (whois-ed, but I'm not ignoring that it
> > > was possibly spoofed) that was sending IN traffic with a
> > > source port of 80 and a destination port in the temporary
> > > range (33xx) - eh???

> > Which firewall logs and what time frame? The Linksys before the
switchout,
> > the Linux-based firewall after the switchout, or something else?

> My appologies, since I never considered the Linksys/DLink/etc. routers
> to be firewalls I've not addressed them as such - but I see others do
> (remind self that other's terminologies must be used when talking to
> them... :)

Linksys calls it a firewall feature, and it has logs - but not everyone
agrees to call it that. Thanks for clarifying.

> The firewall in question is an IPCop machine (this is a fork of the
> Smoothwall firewall project - www.ipcop.org) with no DHCP server,
> port-forwarding or HTTP proxy running - just a plain brown box...  The
> incomings I saw were within approx. a 1-minute timeframe.

So what is serving DHCP at this point?

> > A lot of things could cause incoming 80 -> 33xx traffic, most of them
> > benign. Do you have any packet captures with flags and ACKs, etc? Were
the
> > mystery packets directed to the problem machine or to the router
address?
> > Can you give more details about which machines have private addresses
and
> > which have public Internet addresses? Was the Linksys firmware up to
rev?

> Unfortunately I am still enough of a Linux newbie that I have not
> figured out how to add a sniffer into IPCop (I could install ntop
> though...) but according to the firewall logs the traffic was pointed to
> the external NIC on the IPCop computer specifically which is the only
> public IP address on the LAN.  All others are behind the IPCop's
> internal/private IP addressed NIC, and there is no DMZ NIC on the
> system, nor is it setup software-wise for one at the moment.

> Also, all 6 updates of IPCop had been performed on the machine before
> installation.

> If what could cause this sort of traffic is "mostly benign" then I'll
> have my goose-pimples set to "chill" - if not, then I'm still in "Eh?"
> mode...

It's probably best to stay in investigative mode and learn some more about
the traffic before judging either way. Check outbound logs to see if there
is any traffic that is obviously related to your mystery traffic by time or
address. Sniff full packets with tethereal or ntop or whatever from a
trusted machine. Obfuscate your IP address in a text copy of the packets
that concern you and post a few to the list. Check open ports on the suspect
PC with nMap or another scanner from a trusted box, and run FPort or TCPView
on the suspect machine itself to identify processes that have opened ports.
Delete or obfuscate information you do not wish to share, and post the
remainder to the list.

You could also Google the IP address that is the source of your unexplained
traffic to see if anyone else might have posted comments about it, and look
it up at http://www.dshield.org/ipinfo.php to see if other people have
reported problems from that IP. The packets themselves may contain Googlable
information - see if there is something in common between the packets other
than source and destination.




---------------------------------------------------------------------------
----------------------------------------------------------------------------