Optics Posted July 12, 2009 Share Posted July 12, 2009 Hey guys, I've been having attempts every single night from Chinese IP's. Would only be one or two tries. But earlier, I got a bunch from Russian IP addresses. Any idea why I got such an influx of attacks? Anyone else seeing similar attacks? My PfSense box is set not to respond to ping, and all ports appear closed from the WAN side. All attackers get blocked by snort automatically. Thanks, Optics Here's the log: [**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:17.039841 92.241.185.14:27016 -> 192.168.1.199:13495 UDP TTL:48 TOS:0x0 ID:30215 IpLen:20 DgmLen:120 DF Len: 92 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:17.039761 92.241.185.14:27016 -> xxx.xxx.xxx.xxx:58769 [**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:17.132641 92.241.167.16:27015 -> 192.168.1.199:13495 UDP TTL:48 TOS:0x0 ID:18702 IpLen:20 DgmLen:126 DF Len: 98 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:120 DF Len: 92 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:17.132529 92.241.167.16:27015 -> xxx.xxx.xxx.xxx:51648 UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:126 DF Len: 98 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:18.114122 92.48.203.27:27015 -> 192.168.1.199:13495 UDP TTL:113 TOS:0x0 ID:47138 IpLen:20 DgmLen:142 Len: 114 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] 07/11-18:52:18.113929 92.48.203.27:27015 -> xxx.xxx.xxx.xxx:53229 [Classification: Misc Attack] [Priority: 2] UDP TTL:114 TOS:0x0 ID:26315 IpLen:20 DgmLen:142 07/11-18:52:18.132478 92.48.195.206:27016 -> 192.168.1.199:13495 Len: 114 UDP TTL:114 TOS:0x0 ID:33608 IpLen:20 DgmLen:134 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] Len: 106 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] 07/11-18:52:18.132339 92.48.195.206:27016 -> xxx.xxx.xxx.xxx:52772 [Classification: Misc Attack] [Priority: 2] UDP TTL:115 TOS:0x0 ID:3012 IpLen:20 DgmLen:134 07/11-18:52:18.162915 92.48.195.68:28099 -> 192.168.1.199:13495 Len: 106 UDP TTL:113 TOS:0x0 ID:37722 IpLen:20 DgmLen:141 DF [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] Len: 113 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:18.162725 92.48.195.68:28099 -> xxx.xxx.xxx.xxx:63936 UDP TTL:114 TOS:0x0 ID:27174 IpLen:20 DgmLen:141 DF Len: 113 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:18.375513 92.62.98.46:27015 -> xxx.xxx.xxx.xxx:61817 UDP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:133 DF [Classification: Misc Attack] [Priority: 2] Len: 105 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] 07/11-18:52:18.316675 92.48.195.205:27015 -> 192.168.1.199:13495 [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] UDP TTL:114 TOS:0x0 ID:789 IpLen:20 DgmLen:133 [Classification: Misc Attack] [Priority: 2] 07/11-18:52:18.408724 92.48.195.205:27017 -> xxx.xxx.xxx.xxx:60129 UDP TTL:115 TOS:0x0 ID:3964 IpLen:20 DgmLen:131 Len: 105 Len: 103 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:18.473916 92.48.194.210:27025 -> xxx.xxx.xxx.xxx:53214 UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:153 DF Len: 125 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] 07/11-18:52:18.541733 92.48.203.28:27015 -> 192.168.1.199:13495 [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] UDP TTL:113 TOS:0x0 ID:49682 IpLen:20 DgmLen:159 [Classification: Misc Attack] [Priority: 2] Len: 131 07/11-18:52:18.541637 92.48.203.28:27015 -> xxx.xxx.xxx.xxx:53016 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] UDP TTL:114 TOS:0x0 ID:26805 IpLen:20 DgmLen:159 Len: 131 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**] [Priority: 3] 07/11-18:52:20.220442 193.192.59.192 -> xxx.xxx.xxx.xxx PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:171 DF [**] [1:2406045:140] ET RBN Known Russian Business Network IP UDP (23) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:26.737303 195.161.4.58:27015 -> 192.168.1.199:13495 [**] [1:2406045:140] ET RBN Known Russian Business Network IP UDP (23) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:26.892837 195.161.4.58:2009 -> xxx.xxx.xxx.xxx:50763 UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:122 DF Len: 94 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] UDP TTL:50 TOS:0x0 ID:63368 IpLen:20 DgmLen:118 DF Len: 90 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2500075:1581] ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (38) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:30.021197 202.125.47.222:29005 -> xxx.xxx.xxx.xxx:50539 UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:146 DF Len: 118 [Xref => http://doc.emergingthreats.net/bin/view/Ma...ompromisedHosts] [**] [1:2406195:140] ET RBN Known Russian Business Network IP UDP (98) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:54.342147 212.77.128.138:27075 -> xxx.xxx.xxx.xxx:62540 UDP TTL:111 TOS:0x24 ID:27084 IpLen:20 DgmLen:116 Len: 88 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406195:140] ET RBN Known Russian Business Network IP UDP (98) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:52:54.342220 212.77.128.138:27075 -> 192.168.1.199:13495 UDP TTL:110 TOS:0x24 ID:4575 IpLen:20 DgmLen:116 Len: 88 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**] [Classification: Misc Attack] [Priority: 2] [**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**] 07/11-18:53:24.755909 92.62.98.47:27015 -> 192.168.1.199:13495 [Classification: Misc Attack] [Priority: 2] UDP TTL:46 TOS:0x0 ID:26363 IpLen:20 DgmLen:130 DF 07/11-18:53:24.755702 92.62.98.47:27015 -> xxx.xxx.xxx.xxx:50165 Len: 102 UDP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:130 DF [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] Len: 102 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**] [Classification: Misc Attack] [Priority: 2] [**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**] 07/11-18:53:24.876024 92.62.98.45:27015 -> 192.168.1.199:13495 [Classification: Misc Attack] [Priority: 2] UDP TTL:45 TOS:0x0 ID:34725 IpLen:20 DgmLen:131 DF 07/11-18:53:24.875969 92.62.98.45:27015 -> xxx.xxx.xxx.xxx:52839 Len: 103 UDP TTL:46 TOS:0x0 ID:0 IpLen:20 DgmLen:131 DF [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] Len: 103 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**] [Classification: Misc Attack] [Priority: 2] [Classification: Misc Attack] [Priority: 2] 07/11-18:53:29.090152 92.48.203.104:27045 -> 192.168.1.199:13495 07/11-18:53:29.090023 92.48.203.104:27045 -> xxx.xxx.xxx.xxx:56649 UDP TTL:113 TOS:0x0 ID:29159 IpLen:20 DgmLen:149 UDP TTL:114 TOS:0x0 ID:15024 IpLen:20 DgmLen:149 Len: 121 Len: 121 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**] [Priority: 3] 07/11-18:54:11.567580 95.31.2.6 -> xxx.xxx.xxx.xxx PROTO:255 TTL:0 TOS:0x0 ID:18756 IpLen:20 DgmLen:174 [**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**] [Priority: 3] 07/11-18:55:09.865401 84.38.74.241 -> xxx.xxx.xxx.xxx PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:172 DF [**] [1:2406255:140] ET RBN Known Russian Business Network IP UDP (128) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:14.606707 217.170.66.68:27015 -> 192.168.1.199:13495 [**] [1:2406255:140] ET RBN Known Russian Business Network IP UDP (128) [**] UDP TTL:114 TOS:0x0 ID:14633 IpLen:20 DgmLen:131 [Classification: Misc Attack] [Priority: 2] Len: 103 07/11-18:55:14.606606 217.170.66.68:27015 -> xxx.xxx.xxx.xxx:53052 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] UDP TTL:115 TOS:0x0 ID:9518 IpLen:20 DgmLen:131 Len: 103 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406563:140] ET RBN Known Russian Business Network IP UDP (282) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:30.581274 80.70.228.80:27016 -> xxx.xxx.xxx.xxx:62116 UDP TTL:48 TOS:0x0 ID:0 IpLen:20 DgmLen:123 DF Len: 95 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406563:140] ET RBN Known Russian Business Network IP UDP (282) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:30.581354 80.70.228.80:27016 -> 192.168.1.199:13495 UDP TTL:47 TOS:0x0 ID:6071 IpLen:20 DgmLen:123 DF Len: 95 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:40.902023 78.129.142.161:27015 -> xxx.xxx.xxx.xxx:60298 UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:162 DF Len: 134 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:40.902130 78.129.142.161:27015 -> 192.168.1.199:13495 UDP TTL:48 TOS:0x0 ID:34922 IpLen:20 DgmLen:162 DF Len: 134 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:41.096640 78.129.142.183:27015 -> xxx.xxx.xxx.xxx:51910 UDP TTL:48 TOS:0x0 ID:0 IpLen:20 DgmLen:151 DF Len: 123 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:41.096699 78.129.142.183:27015 -> 192.168.1.199:13495 UDP TTL:47 TOS:0x0 ID:26735 IpLen:20 DgmLen:151 DF Len: 123 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406519:140] ET RBN Known Russian Business Network IP UDP (260) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:53.554627 77.91.226.50:27015 -> xxx.xxx.xxx.xxx:51522 UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:128 DF Len: 100 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] [**] [1:2406519:140] ET RBN Known Russian Business Network IP UDP (260) [**] [Classification: Misc Attack] [Priority: 2] 07/11-18:55:53.554825 77.91.226.50:27015 -> 192.168.1.199:13495 UDP TTL:48 TOS:0x0 ID:10921 IpLen:20 DgmLen:128 DF Len: 100 [Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork] Quote Link to comment Share on other sites More sharing options...
i.have.rewt Posted July 12, 2009 Share Posted July 12, 2009 Wow that's interesting man. No I haven't had any activity. Some attempts on my FTP server, but they get banned after 3 fails anyway -- they're not even trying the right usernames and my passwords are 10+ long alphanum + spec chars I see from the log they are running scans and different attacks, but what services are you running? I'm trusting you have everything patched up to date and good strong passwords.. :) Now that I remember.. I was getting a series of attacks from China, but that was a while ago. Quote Link to comment Share on other sites More sharing options...
digip Posted July 12, 2009 Share Posted July 12, 2009 Russia and China are the two biggest promlem countries when it comes to spam and website attacks. Its all automated, point and click, then walk away, check later for positive results, then take over whatever they find. You can try blockign the countries subnets, but then you block legit people as well, but I really don;t care if anyone from Russia and China ever reach my site. There was a website that had all the well known subnets for each country, but I can't remember the link. SOmething like countryblocks or cidrcountryblocks, something like that. edit: Found it http://www.remotetm.net/country-blocks/htaccess-deny-format/ Quote Link to comment Share on other sites More sharing options...
Optics Posted July 12, 2009 Author Share Posted July 12, 2009 @i.have.rewt The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21). @digip Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP? Thanks guys, Optics Quote Link to comment Share on other sites More sharing options...
digip Posted July 12, 2009 Share Posted July 12, 2009 @i.have.rewt The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21). @digip Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP? Thanks guys, Optics Ping isnt the end all be all finder. Opening a telnet to any number of ports tells you more than a ping for keep alive. Hell, even pings can't hide arp. next time you are on a local lan, test this to see what I mean. Set up a machine to block pings. Then from another machine on the same subnet, ping the machine and watch the timeoutes. Now run arp, and guess what, you will see an entry for the IP address as well as the mac address of the machine who won't reply to the ping. If the ip and mac show up in the arp table, then you know the machine is online. If it doesn't show in arp, then the machine is offline or unreachable. This only works on the same subnet but is one thing to keep in mind that ping is only one tool to check an end device if its alive. There are other ways to check for things beyond port scans, like scripted telnet sessions to popular ports, etc... Quote Link to comment Share on other sites More sharing options...
digip Posted July 12, 2009 Share Posted July 12, 2009 @i.have.rewt The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21). @digip Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP? Thanks guys, Optics Ping isnt the end all be all finder. Opening a telnet to any number of ports tells you more than a ping for keep alive. Hell, even pings can't hide arp. next time you are on a local lan, test this to see what I mean. Set up a machine to block pings. Then from another machine on the same subnet, ping the machine and watch the timeoutes. Now run arp, and guess what, you will see an entry for the IP address as well as the mac address of the machine who won't reply to the ping. If the ip and mac show up in the arp table, then you know the machine is online. If it doesn't show in arp, then the machine is offline or unreachable. This only works on the same subnet but is one thing to keep in mind that ping is not the only one tool to check an end device if its alive. There are other ways to check for things beyond port scans, like scripted telnet sessions to popular ports, etc... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.