More firewall weirdness -- apparent spoof attempt

• Previous message: More firewall weirdness -- apparent spoof attempt
• Next message: More firewall weirdness -- apparent spoof attempt
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

david at catwhisker.org (David Wolfskill) writes:
> Jan 27 08:46:20 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1026 in via dc0
>
> Now, the IP address of the packet filter's Internet-facing NIC is
> 62.193.123.122, and the NIC's designation is dc0.  Rule 60000 is
> my catch-all "log & drop" rule.  So the good news is that these
> things were dropped (& logged) anyway.

Looks like some hack using a UDP packet with a forged source address
of your interface.  I see similar nonsense in my logs, minus the
forged source address.  

Jan 28 05:17:36 capsicum ipmon[287]: 05:17:35.980390 tlp0 @100:2 b
    dialup-64.156.39.12.Dial1.Denver1.Level3.net[64.156.39.12],666 ->
    sonic.wsrcc.com[208.201.233.172],1026 PR udp len 20 574 IN

Someone is probing local ports 135/udp and immediately after that
1026/udp and 1027/udp.  The probes always come from 666/udp.  

I wonder if they were trying to hit the nfs/rpc daemons and just
missed because they move around a bit.  Or is this another MS port
that leads to a buggy daemon and we should get our candles and
flashlights ready because there is going to be another major power
failure somewhere?

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
       The above "From:" address is valid.  Don't mess with it.
Gripe to your senators about spam:  http://www.wsrcc.com/spam/senators.html

• Previous message: More firewall weirdness -- apparent spoof attempt
• Next message: More firewall weirdness -- apparent spoof attempt
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]