From: "Ma-ris Ruskulis" <maris@chown.lv>
To: netfilter@vger.kernel.org
Subject: random src dst ports for OUTPUT chain in FILTER table
Date: Thu, 22 Jan 2009 14:39:13 +0200 [thread overview]
Message-ID: <497868F1.8080703@chown.lv> (raw)
Hello!
Few weeks ago, I set on my servers OUTPUT chain with policy ACCEPT and
logging - stateful. For start, just for traffic inspectation. On two
machines strange traffic apeared with random src-dst ports.
This looks like port scan from local machine, but noone except me hasn't
access to this server, so, if this is a port scan, than I have been
cracked/hacked. But how? On this server im running only webserver
http,https. HTTP daemon is sitting in jail. And linux kernel is
grsec/pax enabled, so break out of jail is almost impossible. And jail
has only php. I checked Access logs of webserver, and dst ip was listed
here, but when I tried to traceroute this dst it looped, seems that dst
network has problems with routing, maybe this was cause of this strange
traffic? I'm not guru in tcp/ip protocol stack, maybe there is some
features which done this traffic?
OUPUT:
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=55586 DF PROTO=TCP SPT=41661 DPT=3728
WINDOW=13220 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=59299 DF PROTO=TCP SPT=40398 DPT=3729
WINDOW=8096 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=41101 DF PROTO=TCP SPT=47319 DPT=3730
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=26623 DF PROTO=TCP SPT=41531 DPT=3731
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=14739 DF PROTO=TCP SPT=45649 DPT=3732
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=47318 DF PROTO=TCP SPT=42388 DPT=3733
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=46558 DF PROTO=TCP SPT=42478 DPT=3734
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=13153 DF PROTO=TCP SPT=35883 DPT=3735
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=27594 DF PROTO=TCP SPT=47061 DPT=3736
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=21367 DF PROTO=TCP SPT=44743 DPT=3737
WINDOW=7920 RES=0x00 ACK RST URGP=0
next reply other threads:[~2009-01-22 12:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-22 12:39 Ma-ris Ruskulis [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-01-22 12:24 random src dst ports for OUTPUT chain in FILTER table Ma-ris Ruskulis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497868F1.8080703@chown.lv \
--to=maris@chown.lv \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.