[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: is there something hacked in my network?

hi Mike,

thanks for your reply.

To give more info about my network:
I'm running Debian unstable, 2.4-kernel with iptables, the network is only 
my machine on ip 192.168.0.1 and an externel ethernetcard and the w2k-machine 
on static ip 192.168.0.253.
On the debian-box is snort installed for intrusion-detection, but not fully
configurated.

The filtered ports I think I can explain, thats the firewall on my linux machine, 
as soon as I nmap my firewall responds with what I put underneath this email.

You say that the open ports seem to be normal, but when I look to the names
of it they don't sound very undangerous to me.
Also when I did nmaps in the past to the win2k-machine I didn't saw them.
The last things we have changed in the old configuration on the w2k is that
we have installed cygwin with almost all the packages on it, could that have
something to do with it?

anyway thanks

here is the output from my firewall in my messages log:

Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18194 PROTO=TCP
SPT=36170 DPT=6002 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14084 PROTO=TCP
SPT=36226 DPT=6005 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58166 PROTO=TCP
SPT=36300 DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36443
DPT=6008 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14356 PROTO=TCP
SPT=36472 DPT=6000 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36521
DPT=6007 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38102 PROTO=TCP
SPT=36595 DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53110 PROTO=TCP
SPT=36673 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62968 PROTO=TCP
SPT=36787 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13056 PROTO=TCP
SPT=36833 DPT=12346 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36847
DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36888
DPT=138 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18416 PROTO=TCP
SPT=37243 DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65535 PROTO=TCP
SPT=37286 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37389
DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37539
DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17731 PROTO=TCP
SPT=37540 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17731 PROTO=TCP
SPT=37541 DPT=12346 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37722
DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37724
DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37727
DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:51 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44457 PROTO=TCP
SPT=37747 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:51 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13056 PROTO=TCP
SPT=37757 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:52 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37768
DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 
Feb 17 17:10:52 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1
DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37776
DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 




On Sun, Feb 17, 2002 at 10:19:07AM -0500, Mike wrote:
> This is a difficult question to answer without more knowledge of your
> network, but I'll take a shot at it anyway.  The open ports seem normal.
> What is confusing is the filtered ports.  The NMAP man page defines
> filtered as
> 
> "Filtered  means  that a firewall, filter, or other network
> obstacle is covering the port  and  preventing  nmap  from
> determining  whether  the  port is open."
> 
> It appears that there is some type of firewall between the NMAP
> application and the Windows OS that is filtering out certain (generally
> considered dangerous) ports.  If all these PCs are on a single HUB like
> most home networks have, then one of the PCs has port filtering turned
> on.  Windows and Linux are both capable of port filtering.
> 
> Hope that helps,
> Mike
> 
> -----Original Message-----
> From: Hans Steinraht [mailto:hans@artofakt.com] 
> Sent: Sunday, February 17, 2002 10:50 AM
> To: debian-security
> Subject: is there something hacked in my network?
> 
> hi all,
> 
> A few days ago I scanned the only win2k-machine in my littles
> homenetwork 
> (consist of my debian-machine, the server, and a w2k-machine) with 
> nmap -sT 192.0.168.253.
> 
> This was the result I got:
> Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
> Interesting ports on  (192.168.0.253):
> (The 1527 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 110/tcp    open        pop-3                   
> 135/tcp    open        loc-srv                 
> 137/tcp    filtered    netbios-ns              
> 138/tcp    filtered    netbios-dgm             
> 139/tcp    filtered    netbios-ssn             
> 445/tcp    open        microsoft-ds            
> 1025/tcp   open        listen                  
> 2049/tcp   filtered    nfs                     
> 6000/tcp   filtered    X11                     
> 6001/tcp   filtered    X11:1                   
> 6002/tcp   filtered    X11:2                   
> 6003/tcp   filtered    X11:3                   
> 6004/tcp   filtered    X11:4                   
> 6005/tcp   filtered    X11:5                   
> 6006/tcp   filtered    X11:6                   
> 6007/tcp   filtered    X11:7                   
> 6008/tcp   filtered    X11:8                   
> 6009/tcp   filtered    X11:9                   
> 6050/tcp   filtered    arcserve                
> 12345/tcp  filtered    NetBus                  
> 12346/tcp  filtered    NetBus                  
> 27665/tcp  filtered    Trinoo_Master 
> 
> We couldn't find wat it was, but because we had planned to reinstall the
> windows-machine for al longer time we did that this weekend.
> 
> After installing windows we start to try to install debian also on the
> windows-machine.
> When we did that (from floppy's) the installation hangs when it tries to
> make a connection to the internet through my debian-machine.
> 
> The strange thing now is that after a clean install of win2k and the
> half
> installation of debian a scan with nmap to the machine shows exactly the
> same as before.
> 
> I don't know yet what it could be?
> Is it possible that the install-floppy we have used to install linux on
> the
> windows machine were infected?
> Could it be that there was something wrong on the windows-machine that a
> normal format of all the disks didn't removed?
> Or is there something wrong in the debian server?
> 
> Maybe someone can give us some advise?
> 
> thanks,
> Hans
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
>
Reply to: