Welcome to Cyborg`s ASP Fun Section


Release 0.1

Life can be so funny

Saturday evening, a day like every other day if your are fulltime online, and just now it happens :) . If received a connection to Port 27374 ( SUB-SEVEN a Windows Trojan, one of many ) 

28.07.01 21:57:26 Access from host 217.x.x.x to port tcp/27374 rejected.
28.07.01 21:57:26 Access from host 217.x.x.x to port tcp/27374 rejected.
28.07.01 21:57:27 Access from host 217.x.x.x to port tcp/27374 rejected.
28.07.01 21:57:28 Access from host 217.x.x.x to port tcp/27374 rejected.

and deceided to check if this host is infected by the subseven or just scanning for infected hosts to controll them. tcpscanner taken and checked the port and it was open, last time this happend a text was written back : PSWD , what meant that is an active trojan ( i think so ) , but this time nothing came back and i just typed in a small message to the user that his computer was infected but then happened this 

28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/21 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/25 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/31 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/99 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/121 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/456 rejected.
28.07.01 22:04:10 Access from host 217.x.x.x to port tcp/555 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/666 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/777 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1000 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/21 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1001 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1010 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1011 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/25 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1012 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1015 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1016 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/31 rejected.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1033 allowed.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1042 allowed.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1080 allowed.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/1170 allowed.
28.07.01 22:04:11 Access from host 217.x.x.x to port tcp/99 rejected.
...1225 Lines skipped...(many more ignored)

down the logs i have many direct tries for Trojanports! ( all rejected :) )

That`s not typical :) but harmless, it shows that the user has an ice ( NIDS { Network Intrusion Detection System } ) or a Firewall running and logging and he deceided to strike back who scanned his host. He tried to avoid being detected by a portscanD ( portscandemon ) but made two great mistakes : first, he assumed that no log will be visible on the screen , second, that this FAST portscan will be undected by an ice which is nearly impossible , it`s too rapid.

How do we disable this portscan ?

if you have miami , you will have a problem. Miami is dead as long as it has to log such a huge amount of loglines to the console.

If you have a faster cpu then mine ( 040/25 ), you may have luck and it`s enough time power left to open the window and enter the IP in an IP-FILTER entry. And remember to choose "N" ( NOLOGGING ) , to avoid be disturbed by further loglines. If you don`t have problems while he`s scanning, you can LOG the incomming traffic of him to have an abuse log for your/his provider to prevent others from beeing abused too ( without noticing it ). { Entry should look like that * * H.I.S.IP 255.255.255.255 n n }

If you have MiamiDx you could enter "deny H.I.S.IP" when you have setup the following cli script:

.key ipaddr
ipfw add reject ip from  to any
this will immediatly lock him out, without telling him that he as been detected. Why? Ok, if we reject a connection instead of denying it, we send an icmp packet to him, telling his stack that this port does not exists ( is not in use ) and the stack won`t try it again until explicitly told by a programm. if we deny it, we just kill the packet and the foreign stack will try it again and again and again and until his setup tells him to stop. This will stop packets to your host, but shows the portscanner that he has been stopped by a firewall, the rejected packet just tell him, that there is no open port and he can`t be sure that this is not normal. "We are just a nice uninteressting little host" :-)))

If you are interesseted in investigating this host a bit, you can alter the script to this entry:

.key ipaddr
ipfw add reject ip from  to any in
This tells the firewall to drop only packets from him coming in , but does not block yourself from sending packets to the IP.
That`s ofcourse useless, but opens ways to protect your system in a nice way, you could generate faked packets back to him, telling him port 983 has a ftpd running under SunSolaris 4.52 anything blah :-)). Funny thought! *G* especially if he really tries to exploit that service ..... what would not work :)

we modify the rule a bit: 

.key ipaddr
ipfw add allow log tcp from  to any in established 
ipfw add reject ip from  to any in
This enables you to scan him correctly, but he could not connect until he tries to SYNC-Scan you.

*** WARNING --- this makes your host visible for a SYNC-SCAN from i.e. NMAP ***

Don`t forget that! It`s important.

If you are finished playing cat and mouse with him, you should seal your firewall to him i.e. drop the IP totally, no holes!

ok, enough for today about stupid script-kids.

back to ASP