Firewall incidents at the FinchHaven datacenter

Goto www.FinchHaven.com
Goto the computer systems of FinchHaven

Firewall incidents
at the FinchHaven datacenter

Hideously out-of-date! This is from about August of 2002 :-/

Each page represents one or more incidents from my firewall log files that I found interesting.

For the most part, what you'll see is a record of each incident as recorded by snort 1.8.7 (the lines containing greatwall snort: ), ipchains (which is the firewall itself -- the lines containing greatwall kernel: ), and by p0f (which is a passive OS detection program) if the packet is of protocol tcp...

I add whois information for the IP address using bwwhois, a hostname lookup using host(1), and add some commentary if the probe is remarkable in any way ;-)

(At the moment, I'm trying to re-name the incident files to a more meaningful syntax that contains the protocol:port, rather than the time-of-day -- so bear with me for a while...)

Also here are some older bulk logs for entire 24 hour periods, in a different format based upon my revisions to Dan Swan's snort2html.pl, focusing on source IP and host, and source and destination ports.

The firewall box itself is the smaller one on the left, under the USR Courier 56K V-Everything modem. It's got an Asus P/I-P55TP4N mobo with a Pentium 150 Classic, 96mb RAM, and it's running Red Hat Linux 6.2 - no X - 6 consoles with CLI only.
In between the firewall box and the ViewSonic G773 monitor is a Linksys ProConnect KVM switch, and on top of that is my cute little SMC EtherEZ 5-port hub!

03/20/02: My methodology (then..)

08/10/02: "One approach to intrusions research behind a personal firewall"

So now I've added a cool little tool I wrote, ACK_hole01.c (heh.. actually it is for the most part copied from W. Richard Stevens' tcpserv04.c in "UNIX Network Programming" vol.1, second edition, p.128; and from trafficrcv.c, from http://www.psc.edu/~web100/pathprobe/ ).

ACK_hole is essentially a network data sink: it sits on a specific TCP port (or several of them: I'm running it on six..) and accepts connections from foreign hosts just like it was a server of some sort.

Only trick is, it's not a server at all: it accepts any/all packets sent to whatever port it's sitting on, and drops them on the floor like they never existed.

So what's the point?

The point is that all the while ACK_hole is accepting packets and dropping them, snort 1.8.7 is merrily logging everything, because I've also opened my firewall on the specific ports ACK_hole is listening to.

So now, despite the fact I'm still secure behind my firewall generally, I can see in detail exploit attempts to specific ports that were previously repelled at the first SYN packet.

Source code for ACK_hole01.c

Note that this will not compile as-is: you need to download the supporting files for the #include's and their dependancies that are a part of UNIX Network Programming's source code, from here: http://www.kohala.com/start/unpv12e/unpv12e.tar.gz )

Email me if you want more info; I also have a tarball of the source and supporting files necessary to ACK_hole, itself.

mailto: jsage@finchhaven.com

Here's a first, real good example of what ACK_hole now lets me log: 080502_ACK_hole_tcp_80.html

The most recent logs are kinda towards the top..

virus_sampler.html
udp_137_sampler.html
tcp_27374_sampler.html
tcp_22_sampler.html
port_445.html
methodology.html
TCP_80_payloads.html
IIS_probe_strings.html
ACK_hole_tcp_80_payloads.html
ACK_hole_tcp_1433_payloads.html
ACK_hole.html
ACK_hole.c.html
080502_ACK_hole_tcp_80.html
080502_ACK_hole_tcp_17300.html
040302_ACID.html
0402_search_strings.html
040202_ACID_summary.html
040202_ACID.html
040102_tcp53_burst.html
040102_ACID_summary.html
040102_ACID.html
033102_ACID_summary.html
033102_ACID.html
033002_portscan.html
031802_logs.html
031702_logs.html
031602_logs.html
031502_variety.html
031502_logs.html
031402_logs.html
031302_proto_50.html
031302_logs.html
031202_udp_161.html
031202_tcp_53.html
031202_tcp_123.html
031202_logs.html
031102_logs.html
031002_udp_22_5632.html
030902_logs.html
030802_tcp_53.html
030802_logs.html
030702_logs.html
030602_logs.html
030502_logs.html
030402_variety.html
030402_logs.html
030302_logs.html
0302_search_strings.html
030202_tcp_6346.html
030202_tcp_1080.html
030202_logs.html
030102_udp_137.html
030102_tcp_27374.html
030102_logs.html
022802_tcp_21.html
022802_logs.html
022702_logs.html
022602_tcp_53.html
022602_logs.html
022502_logs.html
022502_dialup_cruft.html
022402_udp_22_5632.html
022402_tcp_22.html
022402_tcp_1214.html
022402_logs.html
022302_tcp_22.html
022302_tcp_12345.html
022302_logs.html
022202_logs.html
022102_logs.html
022102_2137.html
022002_logs.html
022002_0545.html
021902_scary_nimda.html
021902_logs.html
021902_2015.html
021902_1941.html
021902_0547.html
021802_logs.html
021802_2217.html
021802_1848.html
021802_1359.html
021802_1044.html
021802_1021.html
021702_logs.html
021702_2317.html
021702_1457.html
021602_logs.html
021402_logs.html
021402_0422.html
0202_search_strings.html

An index into specific probes by proto/port/service:

tcp:21 ftp: 022802_tcp_21.html; 022102_2137.html; 021902_2015.html
tcp:22 ssh: tcp_22_sampler.html; 022402_tcp_22.html; 022302_tcp_22.html; 021702_1457.html
udp:22 ssh: 022402_udp_22_5632.html
tcp:53 DNS: 031202_tcp_53.html; 030802_tcp_53.html; 022602_tcp_53.html
tcp:80 CodeRed/Nimda: 080502_ACK_hole_tcp_80.html; 021902_0547.html
tcp:111 sunrpc/portmapper: 021802_1044.html; 021402_0422.html
tcp:123 ntp, Net Controller trojan: 031202_tcp_123.html
udp:137 netBIOS: udp_137_sampler.html; 030102_udp_137.html; 022002_0545.html
udp:161 snmp: 031202_udp_161.html
tcp:1080 socks, SubSeven, WinHole: 030202_tcp_1080.html
tcp:1214 assorted KaZaa's: 022402_tcp_1214.html
udp:5632 PCAnywhereStat: 022402_udp_22_5632.html
tcp:6346 Gnutella: 030202_tcp_6346.html
tcp:12345 Netbus: 022302_tcp_12345.html; 021702_2317.html
tcp:17300 Kuang2: 080502_ACK_hole_tcp_17300.html
tcp:27374 SubSeven-Ramen etc: tcp_27374_sampler.html; 030102_tcp_27374.html; 021902_1941.html; 021802_2217.html

Intriguing search strings from my server logs:

April 2002

March 2002

February 2002

An index into specific probes by interesting characteristics:

protocol = 50?: Some SIPP-ESP packets
tcp:53 bursts: a distancing metrics/load balancing signature
A moderately in-depth look at udp:137 probes, and the mysterious: CKAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA; And a sampler of udp:137 packets
Dialup cruft: what happens when you inherit somebody's: dynamic IP address
Twice now: two separate udp probes, same source IP, same source port, with the same payload, to 5632:PCAnywherestat and 22:PCAnywhere (deprecated): 031002_udp_22_5632.html; 022402_udp_22_5632.html
Source IP LINKLOCAL 169.254.x.x: 022002_0545.html
A Nimda-infected NT 4.0/IIS box: 021902_scary_nimda.html

Goto www.FinchHaven.com
Goto the computer systems of FinchHaven

mailto: jsage@finchhaven.com

Last modified: Sun Nov 12 08:56:04 2006