AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Notices

Reply
 
Thread Tools
Old 2007-05-07, 19:48   Link #1
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
Something worries me (Firewall & Linux)

I installed Firestarter Firewall in my Ubuntu system a few days ago. During that time, it wouldn't catch more than 20 or 30 serious connection attempts during a whole day, however, today, when I came back from university, it had found an enormous number of serious connections in a short timespan. Here's a sample of some of the several connections that tried to access me during those 15 minutes.

Spoiler:


Any ideas? Is this to be considered very serious?

PS: Is this the work of an attempt of DoS attack?
__________________


Place them in a box until a quieter time | Lights down, you up and die.

Last edited by WanderingKnight; 2007-05-07 at 20:45.
WanderingKnight is offline   Reply With Quote
Old 2007-05-07, 21:25   Link #2
bayoab
Senior Member
 
Join Date: Nov 2003
Quote:
Originally Posted by WanderingKnight View Post
I installed Firestarter Firewall in my Ubuntu system a few days ago. During that time, it wouldn't catch more than 20 or 30 serious connection attempts during a whole day, however, today, when I came back from university, it had found an enormous number of serious connections in a short timespan. Here's a sample of some of the several connections that tried to access me during those 15 minutes.

Any ideas? Is this to be considered very serious?

PS: Is this the work of an attempt of DoS attack?
This is not a DoS attack. Do I read this right and you went from behind the university firewall to outside of it? If that is true, then this could be accounted for normal net traffic in you region of the internet. If not, then it might be that someone has taken an interest in you for some reason but this is not a DoS attack. (There will be hundreds of packets a second in a DoS attack.) The majority of these packets are just ping packets (ICMP).
bayoab is offline   Reply With Quote
Old 2007-05-07, 21:49   Link #3
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
Quote:
Do I read this right and you went from behind the university firewall to outside of it?
No, no, my PC is home-based and it's not a laptop. I should have said, "When I came back home from university...".

Something I noticed (it's quite obvious anyways) is that the connections came from different IPs.

And now, I'm getting lots of "serious" labeled TCP connections incoming from a single IP (12.148.244.158). One of the services listed says "login", and another "Kerberos_master". The rest are unknown.

I'm starting to get really worried...
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-07, 21:57   Link #4
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Welcome to the wild-and-wooly Internet, WK!

Let's start with the "ICMP" connections. The ICMP protocol is used, among other things, to determine if an IP address is active. Try using the command "ping www.google.com" from the command prompt in Linux or Windows to see how it works. My home firewall has logged over 130,000 ping attempts since the first of the year. Some of these represent potential intrusion attempts from infected machines that share my IP address block. It's much more efficient to scan for active machines before trying to infect them than trying to infect random blocks of IP addresses. Nevertheless if your firewall has a "default deny" policy, as it should, you should be fine. Most of those machines are looking for other Windows machines with known vulnerabilities.

Another group of packets are originating on your machine like this one:

Time:May 7 18:59:51 Direction: Unknown In:eth1 Out: Port:1900 Source:200.127.84.200 Destination:239.255.255.250 Length:129 TOS:0x00 Protocol:UDP Service:SSDP

These are UPnP packets which are used for device discovery. Some machine, a Windows machine or wireless router perhaps, is trying to advertise its existence. Do a Google search for 'port 1900' for more details.

That leaves just this one:
Time:May 7 18:59:11 Direction: Unknown In:eth1 Out: Port:6588 Source:222.191.251.93 Destination:200.127.84.200 Length:40 TOS:0x00 Protocol:TCP Service:Unknown

According to SANS, there's a well-known trojan that listens on this port. The machine with address 222.191.251.93 is trying to determine whether your computer is infected with the trojan and listening for instructions. Unless you're running the "AnalogX" proxy, you're fine.

In general, TCP requests are usually more troublesome than UDP or ICMP requests because they're often attempts to connect to an existing trojan or vulnerable service. As I say, my home firewall blocks thousands of packets each week, often from other computers connected to the Comcast service that I use here. It's not Comcast's fault; if I were on some other service, I'd see lots of traffic from hosts on those networks as well. My public servers, on an AT&T business connection, see much less of this type of traffic, and more attempts to locate Windows machines with unpatched vulnerabilities on ports like 1025-1030.

As long as your firewall has "deny" as its default policy, you should be fine.

As a test, I ran the nmap scanner against your machine. Your logs should now be full of denials for the address 12.148.244.158. (This is the same program Trinity uses in the second Matrix movie!) I didn't find any vulnerabilities:

Spoiler for nmap report:
__________________

Last edited by SeijiSensei; 2007-05-07 at 21:59. Reason: Yup, you've been scanned!
SeijiSensei is offline   Reply With Quote
Old 2007-05-07, 22:04   Link #5
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
Quote:

As a test, I ran the nmap scanner against your machine. Your logs should now be full of denials for the address 12.148.244.158. (This is the same program Trinity uses in the second Matrix movie!) I didn't find any vulnerabilities:
So you were the one! Damn you xD (look at upper post for explanation )

Well, at least it leaves me a bit less preoccupied.

And here's a new question for you: Does the country where I live affect my vulnerability, considering the change of base IP address?
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-07, 22:12   Link #6
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
I doubt it. The Internet is essentially peer-to-peer and indifferent to geography. Look how I was able to scan your machine from thousands of miles away.

I suspect you might find a copy of nmap on your shiny new Ubuntu box (or else you can install one). Try scanning me in response
__________________
SeijiSensei is offline   Reply With Quote
Old 2007-05-07, 22:32   Link #7
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
Well, I meant it as in chance of getting randomly targeted. I'd guess a random attacker looking for machines would rather spend his/her time on US-based IP addresses.

And I'm too lazy to try that out . Besides, I'll be in bed soon.
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-07, 22:40   Link #8
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
As far as I can tell, most scans these days come not from specific attackers, but from automated processes running on compromised, usually Windows, machines. Many of these scanners use the first couple of "octets" in the IP address of the machine they're running on to create a list of target addresses. For instance, a scanner on 1.2.3.4 is more likely to scan other machines in 1.2.x.x than in 222.222.x.x. The essence of worms is that they replicate themselves onto other machines by locating other machines that share the same vulnerability as the machine they're running on. Once a machine is infected it "phones home" for instructions.

The situation was rather different some years back. One target for spammers were "open relays," mail exchangers that accept mail from anyone and forward it along to someone else. Most mail servers in the early days of the Internet were open relays by default. The spammer would send the message to the relay with a long list of target addresses and let the relay do all the work (and attract all the ire). I had a mail server exploited in this fashion until I toughened up the rules controlling access. I suspect scans for open relays were more targeted since you could consult the DNS to find the addresses of legitimate mail servers and attempt to exploit them. Nowadays, as I say, I don't think these types of attacks are very common at all, and certainly not common against ordinary consumer IP addresses. Investing the time and energy required to target specific machines these days is probably limited to high-value attacks against commercial and military computers.

So I guess if Argentina is a place with fewer compromised machines, it's less likely you'll be the target of scans. Still I don't think you have much to worry about, so put your head down on that pillow and sleep soundly.
__________________

Last edited by SeijiSensei; 2007-05-07 at 22:51.
SeijiSensei is offline   Reply With Quote
Old 2007-05-08, 17:23   Link #9
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
If you're worried about open ports, use a service like grc.com's "shields up" (there are others on the net, too). I'm used to having a firewall inform me of things almost all the time, so when I go under Linux or Mac OS it's really unnerving to not have any security software on there. The firewall is in the OS for OpenSUSE and Mac OSX, but it's a quiet one - it seems to be very secure, but I'm still paranoid.
__________________
Ledgem is offline   Reply With Quote
Old 2007-05-08, 18:22   Link #10
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
If you have access to another machine with an Internet connection, try scanning your computer with nmap as I did with WK. It's by far the best port scanner available, and it's open source and licensed under the GPL. From what I can tell, "Shields Up" is a poor cousin to nmap. I mean, really, wouldn't Trinity be using the best stuff out there?
__________________
SeijiSensei is offline   Reply With Quote
Old 2007-05-08, 19:19   Link #11
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 31
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
I don't even look at my firewall logs any more. Its a pointless endeavor. The only time I check is if something I'm trying to do isn't working.
Epyon9283 is offline   Reply With Quote
Old 2007-05-09, 10:22   Link #12
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
If one runs services (like me)... e.g. SSH, one is a victim to probes every now and then too. And this is particularily annoying, since when they probe services like SSH they often use stupid brute force methods that spam your SSH port with all sorts of strange login attempts. If there is a bunch of IPs doing that at the same time, its like a little DoS attack, that can have some influence on your own ping, reachability of certain ports (e.g. SSH port) and of course bandwidth.
Jinto is offline   Reply With Quote
Old 2007-05-09, 13:23   Link #13
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Quote:
Originally Posted by Ledgem View Post
I'm used to having a firewall inform me of things almost all the time, so when I go under Linux or Mac OS it's really unnerving to not have any security software on there.
Quote:
Originally Posted by Epyon9283 View Post
I don't even look at my firewall logs any more. Its a pointless endeavor. The only time I check is if something I'm trying to do isn't working.
I suspect Ledgem's talking about Windows firewalls which alert you about outbound connection attempts spawned by programs you're running. Like Epyon, I couldn't possibly review my firewall logs on any consistent basis; they're just too full of junky inbound connection attempts that I've blocked anyway. If you really do review every firewall notification you see, Ledgem, either you're very diligent, or very paranoid, or you have a lot of time on your hands.

Quote:
Originally Posted by Jinto Lin View Post
If one runs services (like me)... e.g. SSH, one is a victim to probes every now and then too. And this is particularily annoying, since when they probe services like SSH they often use stupid brute force methods that spam your SSH port with all sorts of strange login attempts. If there is a bunch of IPs doing that at the same time, its like a little DoS attack, that can have some influence on your own ping, reachability of certain ports (e.g. SSH port) and of course bandwidth.
I've seen these, too, but the effects on my servers' bandwidth from probes like these pale in comparison to the amount of stupid spam traffic pounding those servers 24/7. I blocked nearly 32,000 email connection attempts on my primary MX last week because they originated from likely spam sources, and I'm hosting mail for only a couple dozen domains. I allowed in another 40,000 messages, and usually well over half of those are tagged by SpamAssassin. On good weeks about one in six attempted connections is a legitimate message; on bad weeks it's more like one in ten.

My backup MX, which is also my home firewall, gets thousands of email connection attempts each week as well and blocks about 90%+ of them as coming from likely spam sources.
__________________
SeijiSensei is offline   Reply With Quote
Old 2007-05-09, 13:49   Link #14
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Okay, a mail demon/server is one of the services I am not crazy enough to run
Jinto is offline   Reply With Quote
Old 2007-05-09, 15:30   Link #15
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
Sorry for not clarifying, I meant outbound connections from unauthorized programs, or even inbound connections to things like critical services. I used to have logging enabled for the Windows Remote Desktop Client's port (couldn't figure out how to change it from the default), but it was tedious to review it. I ended up just blocking all IPs except those originating from my university. I can take on a university IP at any time with VPN, so this guaranteed me access while filtering out everything else. Unless it was an internal attack...

But since the subject was brought up, does anyone have any recommendations? When I used FireStarter two years ago it was incredibly light on the information it gave and the prompts. It makes for easier computing, I'll admit, but I still find myself worrying. I also believe that Mac OS is the next big thing to get hit, and I'll be damned if I'm going to leave myself defenseless like that.

How about virus scanners for Linux and Mac? I don't care to have auto-protect enabled necessarily, but it might be nice.
__________________
Ledgem is offline   Reply With Quote
Old 2007-05-09, 17:12   Link #16
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
I've never used a virus scanner on a Linux box and really never expect to need one in the future, either.

Most Windows viruses exploit rather obvious gaping holes like the fact that nearly any ordinary user is granted Administrator privileges out of the box. That makes it easy to infect Windows computers at the kernel level simply by running an infected .exe or even by downloading an ActiveX component. On *nix (including Mac OS X), no one is root by default. Let's say you got an email with a "Linux virus" in it, and you stupidly clicked on it, what might happen? Well you could install a program that runs in userspace with your permissions, but anything that tried to mess with the OS at a deeper level would require root permissions. You wouldn't just blindly grant those permissions to any piece of software that comes across your plate now, would you? I knew that you wouldn't.

Now let's talk about spyware. Again many of the same rules apply. Ordinary users on Windows with their Administrator privileges can do all sorts of dangerous things like replace legitimate system DLL's with infected ones, write entries to the registry, etc. Install an infected kernel module on a Linux box without root permissions? Ain't gonna happen.

A common uninformed perspective argues that the greater prevalence of malware for Windows is simply a result of its near-monopoly position on the desktop. That point of view simply ignores many fundamental architectural differences between Windows and *nix that make the latter much more robust against typical virus attacks. Add in a little intelligence on the part of the person at the keyboard, and your chances of being infected with anything are vanishingly small.

I do scan all my mail for viruses at the server level, and we have stringent rules like not accepting executable attachments. (That simple rule alone probably blocks well over half of all email-borne virus traffic without even bothering to scan it with ClamAV.) So even if I were running Windows, the most common infection vector has been defanged. Even if your email provider isn't as diligent as I am, not clicking on random attachments, and never clicking on anything executable unless you have really good reason to believe it's not dangerous, will keep you in good stead.

One of the other joys of running Linux is the ability to test out Windows executables in a Wine session. You get to see what that software might do within the Wine sandbox. It's always fun to watch some piece of Windows malware try to rewrite my Wine registry!

So I say enjoy your new-found freedom from worry!
__________________
SeijiSensei is offline   Reply With Quote
Old 2007-05-09, 18:57   Link #17
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
Quote:
A common uninformed perspective argues that the greater prevalence of malware for Windows is simply a result of its near-monopoly position on the desktop. That point of view simply ignores many fundamental architectural differences between Windows and *nix that make the latter much more robust against typical virus attacks. Add in a little intelligence on the part of the person at the keyboard, and your chances of being infected with anything are vanishingly small.
It's also true that, if Linux was more widespread, more and more malware developers would be cracking their heads at creating more effective ways of getting into the OS, and even when right now holes in Linux's security aren't very apparent, they can become so just by having a lot more people studying its structure and its flaws. I firmly believe everything is possible in the world of computing, and there are always new things being discovered and new holes being exploited. Though I won't risk myself entering into a discussion about Linux basic mechanics (which I'm not specially acquainted with), that is my humble view on the matter.
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-09, 19:28   Link #18
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Quote:
Originally Posted by SeijiSensei View Post
A common uninformed perspective argues that the greater prevalence of malware for Windows is simply a result of its near-monopoly position on the desktop. That point of view simply ignores many fundamental architectural differences between Windows and *nix that make the latter much more robust against typical virus attacks. Add in a little intelligence on the part of the person at the keyboard, and your chances of being infected with anything are vanishingly small.
Quote:
Originally Posted by WanderingKnight View Post
It's also true that, if Linux was more widespread, more and more malware developers would be cracking their heads at creating more effective ways of getting into the OS, and even when right now holes in Linux's security aren't very apparent, they can become so just by having a lot more people studying its structure and its flaws. I firmly believe everything is possible in the world of computing, and there are always new things being discovered and new holes being exploited. Though I won't risk myself entering into a discussion about Linux basic mechanics (which I'm not specially acquainted with), that is my humble view on the matter.
That and... from my computer science studies in software fault tolerance I know that Linux has a lot of weak spots too and moreso the applications running in Linux (I don't want to be misunderstood its still much safer than Windows and applications).
However, even if Linux was widely spread, it is still quite different from distro to distro. The high diversity is also a point that makes it less attractive for attacks. That and the fact, that most users need to know what they are doing when they try to operate the Linux OS. (the operator is one of the important possible weak spots a system has)

However, the felt safety might be a false one... e.g. it is nice that in a worst case scenario only the user space is affected... but since the user usually stores all the user data in the user space, enough damage can be caused. Well, serious damage is not really the aim of most attacks... So it is more likely that services become injected at runtime, luckily that does not matter much for private users, thats more likely a threat for service providers with high bandwidth or the like...)

So it is also a common uninformed perspective, that Linux is safe based on its architecture/programming (actually there are a lot more reasons than just this... architecture actually being one of the weaker arguments).
Jinto is offline   Reply With Quote
Old 2007-05-09, 22:07   Link #19
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
I'm less concerned with Linux, largely because you see a lot of information about what's going on. The lack of one common distribution also makes it more appealing, as SeijiSensei mentioned. What I'm terrified for is Mac OS X. It's a hell of a lot easier to use than Linux, in part because there's a huge lack of information about what's going on. I hate to say it, but I had more access in Windows. I may have missed something incredibly obvious, but I couldn't even open a configuration file to examine it: I can't find a notepad-equivalent in this operating system. Also, Mac OS is the next big thing, it seems. It's almost certain to be targeted once it starts gaining major marketshare against Windows.

So maybe I don't need it - I'm asked for a password any time I want to install something. Like Ubuntu, my password IS the root password - this is very different from SUSE. My concern is that I might install someting that would have some malware attached. What happens then? In Windows, I'd be alerted the second that the undesirable was starting the installation process, and I could forcefully abort it (assuming my scanner didn't fail me). What do I do here? I've barely used Linux but I feel blind without the terminal sometimes; maybe I should download the developer kit to install it (and try to avoid major system edits)...
__________________
Ledgem is offline   Reply With Quote
Old 2007-05-10, 14:37   Link #20
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 57
Be careful with happy nmap scanning though... some ISPs have nasty TOS violation rules about that sort of thing -- of course, they're usually right next to the TOS line about NO SERVERS ALLOWED when they've sold you a business connection and they know damn well you're going to run servers.
(grumbles about bullshit TOS/EULA idiocy)
Vexx is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
We use Silk.