random src dst ports for OUTPUT chain in FILTER table

random src dst ports for OUTPUT chain in FILTER table

[Ma-ris Ruskulis]

Hello!
Few weeks ago, I set on my servers OUTPUT chain with policy ACCEPT and
logging - stateful. For start, just for traffic inspectation. On two
machines strange traffic apeared with random src-dst ports.
This looks like port scan from local machine, but noone except me hasn't
access to this server, so, if this is a port scan, than I have been
cracked/hacked. But how? On this server im running only webserver
http,https. HTTP daemon is sitting in jail. And linux kernel is
grsec/pax enabled, so break out of jail is almost impossible. And jail
has only php. I checked Access logs of webserver, and dst ip was listed
here, but when I tried to traceroute this dst it looped, seems that dst
network has problems with routing, maybe this was cause of this strange
traffic? I'm not guru in tcp/ip protocol stack, maybe there is some 
features which done this traffic?

OUPUT:
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=55586 DF PROTO=TCP SPT=41661 DPT=3728 WINDOW=13220 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=59299 DF PROTO=TCP SPT=40398 DPT=3729 WINDOW=8096 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=41101 DF PROTO=TCP SPT=47319 DPT=3730 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26623 DF PROTO=TCP SPT=41531 DPT=3731 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=14739 DF PROTO=TCP SPT=45649 DPT=3732 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=47318 DF PROTO=TCP SPT=42388 DPT=3733 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=46558 DF PROTO=TCP SPT=42478 DPT=3734 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=13153 DF PROTO=TCP SPT=35883 DPT=3735 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=27594 DF PROTO=TCP SPT=47061 DPT=3736 WINDOW=7920 RES=0x00 ACK RST URGP=0 
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=21367 DF PROTO=TCP SPT=44743 DPT=3737 WINDOW=7920 RES=0x00 ACK RST URGP=0 

random src dst ports for OUTPUT chain in FILTER table

[Ma-ris Ruskulis]

Hello!
Few weeks ago, I set on my servers OUTPUT chain with policy ACCEPT and
logging - stateful. For start, just for traffic inspectation. On two
machines strange traffic apeared with random src-dst ports.
This looks like port scan from local machine, but noone except me hasn't
access to this server, so, if this is a port scan, than I have been
cracked/hacked. But how? On this server im running only webserver
http,https. HTTP daemon is sitting in jail. And linux kernel is
grsec/pax enabled, so break out of jail is almost impossible. And jail
has only php. I checked Access logs of webserver, and dst ip was listed
here, but when I tried to traceroute this dst it looped, seems that dst
network has problems with routing, maybe this was cause of this strange
traffic? I'm not guru in tcp/ip protocol stack, maybe there is some
features which done this traffic?

OUPUT:
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=55586 DF PROTO=TCP SPT=41661 DPT=3728
WINDOW=13220 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=59299 DF PROTO=TCP SPT=40398 DPT=3729
WINDOW=8096 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=41101 DF PROTO=TCP SPT=47319 DPT=3730
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=26623 DF PROTO=TCP SPT=41531 DPT=3731
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=14739 DF PROTO=TCP SPT=45649 DPT=3732
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=47318 DF PROTO=TCP SPT=42388 DPT=3733
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=46558 DF PROTO=TCP SPT=42478 DPT=3734
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=13153 DF PROTO=TCP SPT=35883 DPT=3735
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=27594 DF PROTO=TCP SPT=47061 DPT=3736
WINDOW=7920 RES=0x00 ACK RST URGP=0
Unmatched out: IN= OUT=eth1 SRC=xx.xxx.x.50 DST=88.222.29.18 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=21367 DF PROTO=TCP SPT=44743 DPT=3737
WINDOW=7920 RES=0x00 ACK RST URGP=0