LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2001, 02:48 AM   #1
groegert
LQ Newbie
 
Registered: Jul 2001
Posts: 1

Rep: Reputation: 0
Question portscan from my own machine


I have 2 linux machines in our network as servers/gateways for windows machines.
Last week I got a portscan on the linux1 from linux 2 (logentry):
Jul 4 12:51:31 inetsrv scanlogd: From linux2 to linux1 ports 21, 3382, 3385, 3388, 3391, 3394, 3397, 3400, 3403, ..., flags ??r??u, TOS 00, TTL 64, started at 12:51:21

at the same time logentry in linux2 (time was not synchronized):
Jul 4 13:11:54 Surfer kernel: IPv6 v0.8 for NET4.0
Jul 4 13:11:54 Surfer kernel: IPv6 over IPv4 tunneling driver
Jul 4 13:11:54 Surfer in.ftpd[17049]: connect from localhost (127.0.0.1)
Jul 4 13:12:14 Surfer kernel: eth0: no IPv6 routers present
Jul 4 13:12:14 Surfer kernel: eth0: no IPv6 routers present
Jul 4 13:12:38 Surfer in.ftpd[17051]: connect from localhost (127.0.0.1)

... and I was the only user who was logged in on linux2:
me ftp localhost Wed Jul 4 13:12 - 13:12 (00:00)
me ftp windows1 Wed Jul 4 12:48 - 12:58 (00:10)
me pts/0 windows1 Wed Jul 4 11:38 - 13:15 (01:36)
me ftp windows1 Wed Jul 4 11:36 - 11:46 (00:10)
me ftp windows1 Wed Jul 4 11:36 - 11:51 (00:15)

any idea why I got this portscan?

well linux2 is configured as proxy for all windows machines. Is this the solution of this riddle, or does linux a portscan itself?

And why did I get an IPV6 request?

Thanks in advance,

Thomas
 
Old 07-12-2001, 09:29 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi Thomas,

Ok I've looked at the log file you sent.

Looks to me like this.
Someone has tried to connect to your linux1 boxes FTP port and then for some strange reason scanned in intervals of 3 from 3383 up.

The source could be spoofed but the TTL info tells us it's from the same subnet as the Linux1 system. "Could still be spoofed but harder and more unlikely"

It also looks like someone on Linux2 wants your IDS on Linux1 to pick up on the fact they are trying to connect to your ports. "Someone just needs a non-root local account on Linux2 to do this"

Linux doesn't portscan it's self, only to get info on RPC servers from portmap if needed. "port 111"

The IPv6 errors are from your SSH server on Lunix 2, it's trying to bind to your IPV6 module and failing each time you logging to Linux2 from windows system over SSH.

Should be a line if your SSH's config file that says:
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment the first line to stop this.

So Basically if you have other users who have an account on Linux2 they are playing with your ports trying to set off your IDS system on Linux1.

IPv6 is a separate problem on the Linux2 system.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
scp: copy a file from local machine to remote machine seran Linux - Newbie 8 10-30-2007 12:23 PM
sharing internet from a windows 98 machine to a Red Hat Linux machine ritwiksolutions Linux - Newbie 7 03-14-2006 10:20 AM
SNORT - (portscan) UDP Portsweep ddaas Linux - Security 2 07-06-2005 02:24 AM
Portscan to port 6000? J_Szucs Linux - Security 2 09-21-2004 11:27 AM
Portscan detection with standard unix tools? J_Szucs Linux - Security 13 06-03-2003 03:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration