Strange syslog activity? Who's the guru around here?

[Rezzin]

If anyone can shed light on this I would greatly appreciate it. I will try to keep this as short as possible. Here is the situation:

(note: I am not running any services except an ftp site on port 2456)

I've been monitoring traffic on the wan interface of my router for packets destined for port 23,80,139,12345, etc - I am fairly new to networking and was just curious as to what kind of traffic I would be seeing. Over the course of 2 weeks I've noticed consistant traffic from an IP within my subnet.. I'd say about 20-30 hits a day destined for port 80. MOST of the traffic I've been seeing on the ports I've specified are destined for port 80. Now here's the issue: I thought maybe this IP was some infected website running scans on the network (the only traffic from this IP is on port 80 ... ALWAYS) so - just to see what was going on.. I popped the IP into a browser and nada. I then try ftp'ing to the IP and sure enough he's running an anonymous ftp. I log in an try to create a directory called please_leave_me_alone as I only want it to stop. Within *5* minutes, I see activity from his IP.. but here's the thing: It's destined for PORT 2456 - SOURCE PORT 80!?! Here is the syslog entry:

11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF
11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF

I don't think he ran a scan on my IP as I believe I would have seen activity on the other ports I specified.. I also don't understand how his SOURCE PORT was listed as 80 as almost always the source port is a number >1023.

Has anyone seen this before? Can anyone shed some light on this for me please? Thanks in advance for any input I recieve.

Rezzin

 

[subflava]

Weird...is the destination port always the same from that IP?

 

[Rezzin]

Yes.. here is my syslog clip:

12-04-2001 14:05:28 Local1.Notice router rezzin: IP[Src=63.205.136.xxx Dst=63.193.144.xxx TCP spo=04866 dpo=00080]}S04>R02mD
12-04-2001 14:05:25 Local1.Notice router rezzin: IP[Src=63.205.136.xxx Dst=63.193.144.xxx TCP spo=04866 dpo=00080]}S04>R02mD
12-04-2001 13:19:46 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=03368 dpo=00080]}S04>R02mD
12-04-2001 13:19:43 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=03368 dpo=00080]}S04>R02mD
12-04-2001 12:56:19 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=01610 dpo=00080]}S04>R02mD
12-04-2001 12:56:16 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=01610 dpo=00080]}S04>R02mD
12-04-2001 11:50:57 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=04400 dpo=00080]}S04>R02mD
12-04-2001 11:50:54 Local1.Notice router rezzin: IP[Src=63.193.186.xxx Dst=63.193.144.xxx TCP spo=04400 dpo=00080]}S04>R02mD

As you can see, just over a 2 hours period.. that's a total of 8 hits from the same IP on port 80. My log's getting HUGE from this guy =(. The example i've listed in my first post shows what happened *5* minutes after I tried FTP'ing to the guy's IP... as you can see from the logs I've posted here.. the source port is usually a 4-5 digit # > 1023. Still no idea why I've been seeing so much traffic from this guy and still *NO* clue as to how he found the port my ftp site was using (I think I would have caught a scan) and using a SOURCE port of 80 on top of that. Strange... help!

 

[subflava]

Your logs are a little hard to decipher without knowing what traffic you're monitoring. You say you're monitoring the WAN link of your router and I had assumed you were monitoring incoming traffic. However the two samples you gave aren't consistent:




<< 11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01 >>





<< 12-04-2001 14:05:28 Local1.Notice router rezzin: IP[Src=63.205.136.xxx Dst=63.193.144.xxx TCP spo=04866 dpo=00080]}S04>R02mD >>



In the first example the source port is 80 and in the 2nd the *destination* is port 80. They aren't really showing the same thing. It's hard to figure out what's going on without knowing how your network is laid out.

 

[Rezzin]

I am monitoring incoming traffic on the WAN interface. If you look at the 2 sets of logs, you can see the log with the destination port set to 80 (dpo=00080), the destination IP is the IP for my wan interface (63.193.144.xxx).. which is normal. What has me confused is the first set of examples that shows the same source IP, but different destination IP's (not to mention his source port as set to 80).

11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF

I am running several PC's behind my router.. with the ftp server sitting on 192.168.0.3... which is also why I can't figure out why it says destination address 192.168.0.2 (the .2 machine has the syslog daemon running). This entry is the ONLY set of logs that is inconsistant with the rest of the traffic I have been monitoring. I have been posting and scouring everywhere for information regarding this... it's too bad Netgear support isn't much help.

 

[EricHagen]

For the FTP spec, the destination port can be anything. Many FTP programs use 21 by default as the source port, but perhaps his web browser perfers to use 80 as an outgoing port (or that is necessary for his firewall settings). They don't all use >1024, but it's bad practice (for code portability and I think security as well) not to do so. Perhaps the guy has written a cracking app (or he's using one) that tunnels through port 80?

He may have picked up your FTP port from elsewhere, or he scanned you and you syslog didn't pick up on it. What sensitivity do you have the error reporting? I'm no expert on Syslog, but I think you may want to turn up the sensitivity a notch to see more of the traffic.

The fact that it got forwarded to your Syslog server is weird if that really is the forwarded port for your FTP server. A bug in the router?


As for the second group with DEST: port 80- I would guess those are CodeRed II and/or Nimda attacks if you aren't expecting web traffic.
If you have IIS installed, make sure it's patched up well so you don't get infected.
Without seeing the HTTP logs, I couldn't tell you definitively that this is what was causing the DEST: 80 traffic, but I would guess that was the case.

Eric

 

[Rezzin]

I am not running any services on my LAN except for that ftp server which is using port 2456. Syslog is triggered whenever incoming TCP packets are recieved on the specified ports. The router by default drops ICMP packets (not sure which.. but the malicious ones I assume, as I am still about to traceroute and such). I was just curious as to how his SOURCE port could be specified as 80 and how he found 2456 (remember, i only have TCP packets triggered) without me catching scans on other ports. Strange...

 

[EricHagen]

I'm not sure how he found your FTP port number, but the port being specified as '80' isn't a big deal at all.

I'm sure it's either a non-standard web browser or perhaps a custom script that he simply specified to run on port 80.

As long as he has ROOT access to his system, he can use outgoing ports < 1024.

Eric