Results 1 to 6 of 6

Thread: Severe security problem IPFW help!

  1. #1
    Join Date
    Mar 2006
    Posts
    151

    Severe security problem IPFW help!

    I have this in my logs:

    16:27:20.626762 IP smtp.as.ro.http > ns2.domain.com.51891: . 372412:373860(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
    16:27:20.628011 IP smtp.as.ro.http > ns2.domain.com.51891: . 373860:375308(1448) ack 1 win 1716 <nop,nop,timestamp 379626649 1892617291>
    16:27:20.628039 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 375308 win 32580 <nop,nop,timestamp 1892617620 379626649>
    16:27:20.629260 IP smtp.as.ro.http > ns2.domain.com.51891: . 375308:376756(1448) ack 1 win 1716 <nop,nop,timestamp 379626650 1892617292>
    16:27:20.629288 IP ns2.domain.com.51891 > smtp.as.ro.http: . ack 376756 win 33304 <nop,nop,timestamp 1892617621 379626650>
    16:27:20.630509 IP cpe-66-74-154-25.socal.res.rr.com.1156 > ns1.domain.com.http: P 1:1393(1392) ack 1 win 65535
    16:27:20.640708 IP ns1.domain.com.http > 82.115.16.118.16812: . ack 1368 win 32148 <nop,nop,timestamp 1892617633 7362279>
    16:27:20.644512 IP 78.140.130.213.http > ns2.domain.com.53910: . 2897:4345(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
    16:27:20.645755 IP 78.140.130.213.http > ns2.domain.com.53910: . 4345:5793(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
    16:27:20.645803 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 31856 <nop,nop,timestamp 1892617638 439326923>
    16:27:20.645835 IP ns2.domain.com.53910 > 78.140.130.213.http: . ack 5793 win 33304 <nop,nop,timestamp 1892617638 439326923>
    16:27:20.647001 IP 78.140.130.213.http > ns2.domain.com.53910: . 5793:7241(1448) ack 175 win 17376 <nop,nop,timestamp 439326923 1892617546>
    16:27:20.648127 IP smtp.as.ro.http > ns2.domain.com.51891: . 376756:378204(1448) ack 1 win 1716 <nop,nop,timestamp 379626760 1892617403>
    16:27:20.649377 IP smtp.as.ro.http > ns2.domain.com.56971: . 165072:166520(1448) ack 1 win 1716 <nop,nop,timestamp 379626663 1892617304>
    As you can see...they are using my NS2 to do a LOT of traffic to hit other sites. I replaced my domain obviously but this server is both ns1.domain.com and ns2.domain.com The attack is from smtp.as.ro. It's bizarre because I can't figure out how they are passing my firewall.

    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    00400 deny tcp from any to any frag
    00505 deny ip from any to any dst-port 32566-65534
    01500 deny ip from table(1) to me
    01600 check-state
    01700 deny tcp from any to any established
    01800 allow ip from any to any out keep-state
    01900 allow icmp from any to any
    02000 allow tcp from any to any dst-port 21 setup keep-state
    02100 allow tcp from any to any dst-port 22 setup keep-state
    02200 allow tcp from any to any dst-port 25 setup keep-state
    02300 allow tcp from any to any dst-port 53 setup keep-state
    02400 allow udp from any to any dst-port 53 keep-state
    02500 allow tcp from any to any dst-port 80 setup keep-state
    02600 allow tcp from any to any dst-port 110 setup keep-state
    02700 allow tcp from any to any dst-port 143 setup keep-state
    02800 allow tcp from any to any dst-port 443 setup keep-state
    02900 allow tcp from any to any dst-port 2222 setup keep-state
    03000 allow tcp from any to any dst-port 32555-32565 in setup keep-state
    03100 deny log logamount 10 ip from any to any
    65535 deny ip from any to any

    There you can see that I had to add rule 505 to block the high ports early in the ruleset but I know that's not the right way to block this. And without that rule they SHOULDN'T be hitting those ports anyways.

    Help is GREATLY appreciated.
    Last edited by labrocca; 06-01-2008 at 03:52 PM.

  2. #2
    Join Date
    Mar 2006
    Posts
    151
    As an update...this is netstat output.

    tcp4 0 0 66.36.xxx.xxx.80 85.15.52.226.38131 TIME_WAIT
    tcp4 0 0 66.36.xxx.xxx.80 60.11.247.180.3940 ESTABLISHED
    tcp4 0 0 66.36.xx.xx.57797 72.3.238.94.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 220.165.175.232.1935 TIME_WAIT
    tcp4 0 0 66.36.xxx.xxx.80 61.161.48.194.1586 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61941 ESTABLISHED
    tcp4 0 0 66.36.xxx.xxx.80 142.166.170.90.3153 LAST_ACK
    tcp4 0 0 66.36.xx.xx.49371 74.220.207.178.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 58.46.171.13.58239 TIME_WAIT
    tcp4 0 0 66.36.xxx.xxx.80 81.90.157.58.3617 TIME_WAIT
    tcp4 0 0 66.36.xxx.xxx.80 67.159.44.103.51949 LAST_ACK
    tcp4 0 0 66.36.xx.xx.64787 193.28.144.21.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 219.150.242.211.2052 LAST_ACK
    tcp4 0 2320 66.36.xxx.xxx.80 58.147.169.191.1493 FIN_WAIT_1
    tcp4 0 33580 66.36.xxx.xxx.80 125.96.131.241.3350 FIN_WAIT_1
    tcp4 0 0 66.36.xx.xx.58623 74.220.207.178.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.64239 72.29.92.118.80 LAST_ACK
    tcp4 0 32120 66.36.xxx.xxx.80 202.114.102.11.61846 FIN_WAIT_1
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61845 LAST_ACK
    tcp4 0 0 66.36.xx.xx.59222 193.28.144.21.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.49243 74.220.207.178.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.64801 74.220.207.178.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 123.154.55.111.2771 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61795 ESTABLISHED
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61793 ESTABLISHED
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61791 ESTABLISHED
    tcp4 0 33580 66.36.xxx.xxx.80 202.114.102.11.61790 FIN_WAIT_1
    tcp4 0 0 66.36.xx.xx.60094 87.248.201.23.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61784 ESTABLISHED
    tcp4 0 0 66.36.xx.xx.51380 74.220.207.178.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.52451 68.142.89.231.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 220.165.175.232.1259 LAST_ACK
    tcp4 0 0 66.36.xx.xx.58361 87.248.201.58.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.61783 ESTABLISHED
    tcp4 0 0 66.36.xx.xx.59863 87.248.201.58.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49842 FIN_WAIT_2
    tcp4 0 0 66.36.xx.xx.64667 202.177.195.248.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.62350 202.177.195.248.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49812 FIN_WAIT_2
    tcp4 0 0 66.36.237.6.80 77.70.106.73.4403 TIME_WAIT
    tcp4 0 0 66.36.xx.xx.58275 87.248.201.23.80 LAST_ACK
    tcp4 0 31680 66.36.xxx.xxx.80 222.181.8.96.11862 FIN_WAIT_1
    tcp4 0 0 66.36.xx.xx.53621 87.248.201.190.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 210.192.101.90.56245 ESTABLISHED
    tcp4 0 0 66.36.xx.xx.55439 87.248.201.23.80 LAST_ACK
    tcp4 0 0 66.36.xx.xx.56997 87.248.201.181.80 LAST_ACK
    tcp4 0 0 66.36.xxx.xxx.80 202.114.102.11.63590 ESTABLISHED
    tcp4 0 0 66.36.xxx.xxx.80 78.191.41.217.49779 FIN_WAIT_2
    I have replaced my ns1 IP with xxx.xxx and the NS2 IP with xx.xx.

    You should notice that only NS2 has the problems. Is there maybe something with BIND that causes this? I am VERY concerned about this traffic. Something just doesn't look right.

    This might be more readable.

    tcp4 0 0 ns1.http 202.114.102.11.63426 ESTABLISHED
    tcp4 0 0 ns1.http 81.199.198.189.r.40105 FIN_WAIT_2
    tcp4 0 0 ns1.http 202.114.102.11.63418 ESTABLISHED
    tcp4 0 0 ns1.http 202.114.102.11.63419 ESTABLISHED
    tcp4 0 0 ns1.http 202.114.102.11.63403 LAST_ACK
    tcp4 0 0 ns1.http 202.114.102.11.63402 LAST_ACK
    tcp4 0 0 ns2.52610 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 202.114.102.11.63390 LAST_ACK
    tcp4 0 846 ns1.http 81.199.198.189.r.40085 FIN_WAIT_1
    tcp4 0 0 ns2.52089 maxcash6.cavecre.http LAST_ACK
    tcp4 0 0 ns2.59516 216-73-107-28.oc.http LAST_ACK
    tcp4 0 0 ns2.61047 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 143.90.204.121.b.3171 LAST_ACK
    tcp4 0 0 ns1.http 202.114.102.11.63274 ESTABLISHED
    tcp4 0 0 ns2.62668 216-73-107-28.oc.http LAST_ACK
    tcp4 0 0 ns2.50681 srv.p2.netsons.c.http LAST_ACK
    tcp4 0 0 ns1.http 122.3.245.132.pl.36030 FIN_WAIT_2
    tcp4 0 0 ns2.64889 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 62-47-237-19.ads.49362 FIN_WAIT_2
    tcp4 0 0 ns2.61987 72-29-92-118.sta.http FIN_WAIT_2
    tcp4 0 0 ns1.http 122.3.245.132.pl.36008 FIN_WAIT_2
    tcp4 0 0 ns2.61387 216-73-107-27.oc.http LAST_ACK
    tcp4 0 0 ns2.62083 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 77.31.160.232.16532 FIN_WAIT_1
    tcp4 0 0 ns1.http 210.41.108.156.3387 LAST_ACK
    tcp4 0 0 ns1.http 122.3.245.132.pl.36001 FIN_WAIT_2
    tcp4 0 0 ns2.50734 88.85.70.129.http LAST_ACK
    tcp4 0 1302 ns1.http CPE-203-51-133-2.60907 FIN_WAIT_1
    tcp4 0 0 ns1.http 123.122.96.54.1169 LAST_ACK
    tcp4 0 0 ns1.http 123.122.96.54.1150 LAST_ACK
    tcp4 0 0 ns2.50561 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 123.122.96.54.1066 LAST_ACK
    tcp4 0 0 ns1.http 123.122.96.54.1040 LAST_ACK
    tcp4 0 0 ns2.63616 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 123.122.96.54.2005 LAST_ACK
    tcp4 0 0 ns1.http 125.96.131.241.4448 LAST_ACK
    tcp4 0 0 ns1.http 123.122.96.54.1913 LAST_ACK
    tcp4 0 0 ns1.http 122.3.245.132.pl.35985 FIN_WAIT_2
    tcp4 0 0 ns2.59709 38.97.225.161.http LAST_ACK
    tcp4 0 0 ns2.56017 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns1.http 202.114.102.11.62996 LAST_ACK
    tcp4 0 0 ns2.62929 88.85.70.129.http LAST_ACK
    tcp4 0 0 ns2.63431 fmt2-orion-1202..http LAST_ACK
    tcp4 0 0 ns1.http 122.3.245.132.pl.35973 FIN_WAIT_2
    tcp4 0 10090 ns1.http pool-71-108-186-.50817 FIN_WAIT_1
    Last edited by labrocca; 06-02-2008 at 01:43 AM.

  3. #3
    Join Date
    Aug 2004
    Location
    uk
    Posts
    1,584
    doesnt look like a ipfw log.

    ns2.domain.com is just the reverse dns name telling you what ip is the source, I expect they not actually doing it via bind.

    what does sockstat show you?

  4. #4
    Join Date
    Jul 2005
    Posts
    2,007
    Do you have recursion no; in named.conf under options?

  5. #5
    Join Date
    Mar 2006
    Posts
    151
    Yeah I got some help at WHT stating these are rDNS lookups. Thanks for help with my paranoia.

  6. #6
    Join Date
    Nov 2008
    Posts
    6
    Seems it have something to do with the ACK?

    The only parameter that has something to do with the ACK is the 'setup' one. U should consider that.

    The problem is I don't really see what kind of attack they are useing on you're NS2.

    Could u do a ipfw show
    My English is bad

Similar Threads

  1. Security problem
    By Eratus in forum DirectAdmin General Discussion
    Replies: 2
    Last Post: 03-30-2011, 08:08 PM
  2. Severe Spam Problem Plz help
    By rizwan65 in forum E-Mail
    Replies: 5
    Last Post: 03-19-2009, 02:06 PM
  3. Ipfw
    By suhailc in forum FreeBSD 6.x
    Replies: 7
    Last Post: 09-30-2006, 11:10 AM
  4. Severe problems.
    By ircman in forum General Technical Discussion & Troubleshooting
    Replies: 5
    Last Post: 06-13-2005, 05:25 AM
  5. Security problem, please help !!
    By mmgenius in forum System-Level Technical Discussion
    Replies: 3
    Last Post: 05-23-2004, 06:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •