OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: stealth scans on old legacy firewalls.
From: Larry W. Cashdollar (lwcashdBIW.COM)
Date: Fri Feb 04 2000 - 07:16:55 CST

Everyday I check the logs on our current firewall (soon to be replaced). I have noticed and reported to management/staff that the number of scans
we are logging have decreased over the last 3 months. My theory was that our
firewall was still being scanned but with stealth utilities like nmap. I also
noted that our firewall in its current configuration could not log these types
of scans as they didnt complete the TCP 3-way handshake. Well we are our new
firewall is up and running and being tested online. This morning this showed up
in its logs:

Feb 04 04:58:58.138 bertha kernel[0]: 226 IP packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 1861->8080): Restricted Port: Protocol=TCP[SYN] Port
1861->8080 (received on interface xxx.xxx.xxx.xxx)

^^^^^^ Open proxy server scan.

Feb 04 04:58:58.892 bertha kernel[0]: 226 IP packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 2225->3128): Restricted Port: Protocol=TCP[SYN] Port
2225->3128 (received on interface xxx.xxx.xxx.xxx)

^^^^^^ Dont know what they are looking for on port 3128.

Feb 04 04:58:59.598 bertha kernel[0]: 226 IP packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 2609->1080): Restricted Port: Protocol=TCP[SYN] Port
2609->1080 (received on interface xxx.xxx.xxx.xxx)

^^^^^^ Socks Scan.

While the logs on the old firewall remained quiet. All I can say is attackers
are like children if they are too quiet something is wrong.

-- Larry