This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attacks

Hi everybody!

I have looked at our Packet Filter Logs from today and
found 2 things that I don't like, maybe anybody knows
what I can do or what this means.

We have a /28 Network and a /29 Network

The external ASL is on the /29 Network with IP xxx.xxx.xxx.201

The DMZ has the /28 Network from 96 - 111.

This happens on the external nic:

Aug 12 00:08:13 (none) kernel: UDP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=205.252.14.31 DST=xxx.xxx.xxx.201 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=36356 PROTO=UDP SPT=53 DPT=1253 LEN=20
Aug 12 00:08:17 (none) kernel: UDP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=205.252.14.31 DST=xxx.xxx.xxx.201 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=36368 PROTO=UDP SPT=53 DPT=1253 LEN=20
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=208.185.54.14 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=47 ID=59286 PROTO=ICMP TYPE=8 CODE=0 ID=60966 SEQ=25953
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=64.0.96.12 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=32 ID=48025 PROTO=ICMP TYPE=8 CODE=0 ID=52852 SEQ=7585
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=64.15.251.198 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=44 ID=3305 PROTO=ICMP TYPE=8 CODE=0 ID=57902 SEQ=63928
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=212.62.17.145 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=44 ID=852 PROTO=ICMP TYPE=8 CODE=0 ID=63093 SEQ=13759
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=63.218.7.130 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=46 ID=12738 PROTO=ICMP TYPE=8 CODE=0 ID=28708 SEQ=23781
Aug 12 00:08:28 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=204.176.88.5 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=35 ID=33437 PROTO=ICMP TYPE=8 CODE=0 ID=14692 SEQ=21730
Aug 12 00:08:29 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=211.13.227.66 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=42 ID=41082 PROTO=ICMP TYPE=8 CODE=0 ID=45569 SEQ=13088
Aug 12 00:08:29 (none) kernel: ICMP Drop: IN=eth2 OUT= MAC=00:01:02:2a:a3:0d:00:a0:c5:46:7c:29:08:00 SRC=202.160.241.130 DST=xxx.xxx.xxx.201 LEN=84 TOS=0x00 PREC=0x00 TTL=32 ID=866 PROTO=ICMP TYPE=8 CODE=0 ID=44545 SEQ=22498

And this happens for the DMZ:
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.98 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48349 DF PROTO=TCP SPT=4531 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48351 DF PROTO=TCP SPT=4533 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.102 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48353 DF PROTO=TCP SPT=4535 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.99 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48350 DF PROTO=TCP SPT=4532 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.103 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48354 DF PROTO=TCP SPT=4536 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.104 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48355 DF PROTO=TCP SPT=4538 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.107 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48358 DF PROTO=TCP SPT=4541 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.105 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48356 DF PROTO=TCP SPT=4539 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.108 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48359 DF PROTO=TCP SPT=4542 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.106 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48357 DF PROTO=TCP SPT=4540 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.109 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48360 DF PROTO=TCP SPT=4543 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:05:48 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=213.60.144.11 DST=xxx.xxx.xxx.110 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48361 DF PROTO=TCP SPT=4544 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.98 LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=11258 DF PROTO=TCP SPT=4332 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.99 LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=11259 DF PROTO=TCP SPT=4333 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.100 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11260 DF PROTO=TCP SPT=4334 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.101 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11261 DF PROTO=TCP SPT=4335 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.102 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11262 DF PROTO=TCP SPT=4336 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.103 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11263 DF PROTO=TCP SPT=4337 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.104 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11264 DF PROTO=TCP SPT=4338 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.105 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11265 DF PROTO=TCP SPT=4339 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.106 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11266 DF PROTO=TCP SPT=4340 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.107 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11267 DF PROTO=TCP SPT=4341 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:33 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.108 LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=11268 DF PROTO=TCP SPT=4342 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:35 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.109 LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=11279 DF PROTO=TCP SPT=4343 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:13:35 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=68.78.108.101 DST=xxx.xxx.xxx.110 LEN=48 TOS=0x00 PREC=0x00 TTL=96 ID=11280 DF PROTO=TCP SPT=4344 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.99 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50869 DF PROTO=TCP SPT=4933 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.101 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50871 DF PROTO=TCP SPT=4935 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.98 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50868 DF PROTO=TCP SPT=4932 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.100 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50870 DF PROTO=TCP SPT=4934 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.103 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50873 DF PROTO=TCP SPT=4937 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.102 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50872 DF PROTO=TCP SPT=4936 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.109 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50879 DF PROTO=TCP SPT=4943 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.106 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50876 DF PROTO=TCP SPT=4940 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.105 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50875 DF PROTO=TCP SPT=4939 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.104 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50874 DF PROTO=TCP SPT=4938 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.107 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50877 DF PROTO=TCP SPT=4941 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.110 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50880 DF PROTO=TCP SPT=4944 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 12 00:14:42 (none) kernel: TCP Drop: IN=eth2 OUT=eth1 SRC=66.169.209.33 DST=xxx.xxx.xxx.108 LEN=48 TOS=0x00 PREC=0x00 TTL=98 ID=50878 DF PROTO=TCP SPT=4942 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

Anyone any idea what I can do? Portscan is not reacting
on this. If this continues then there is soon going to be
a match from IP and Port so the intruder is able to break
in.

Thanks in advance,
Henrik

ASL 4.009

This thread was automatically locked due to age.

Parents

0 gnujuba over 22 years ago

on your dmz int it looks like WS.BLAST for me (DST PORT 135)
( http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html )

for this worm follow the advisories: close port 135 (you already have) and install virus scanners on all desktops and of course patch ALL machines.

removal tool: http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

for your ext int, i am not shure: just some echo requests. for me this is just noise on the internet ...

bye,

gnjb
Cancel
Vote Up 0 Vote Down

Cancel
0 Maurice over 22 years ago in reply to gnujuba

I agree with gnujuba. Seems like your DMZ is getting the Blast worm, but hey, look on the good side of it. Astaro is blocking the worm

I had a huge log file for the last 2 days of my ASL blocking the worm. ASL is doing the job great!

Maurice
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Maurice over 22 years ago in reply to gnujuba

I agree with gnujuba. Seems like your DMZ is getting the Blast worm, but hey, look on the good side of it. Astaro is blocking the worm

I had a huge log file for the last 2 days of my ASL blocking the worm. ASL is doing the job great!

Maurice
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 gnujuba over 22 years ago in reply to Maurice

look at my huge logfile and the fun with it:

https://community.sophos.com/products/unified-threat-management/astaroorg/f/55/t/44320

:-)(
Cancel
Vote Up 0 Vote Down

Cancel