is this an attak? - Security

This is a discussion on is this an attak? - Security ; i've a mail server behind a nat router (fixed ip) in a network with manu computers. recently sent mail return to me becouse my ip is in a blacklist. i'm searching for something strange. I've passed chkrootkit and rkhunter and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: is this an attak?

  1. is this an attak?


    i've a mail server behind a nat router (fixed ip) in a network with manu
    computers. recently sent mail return to me becouse my ip is in a
    blacklist. i'm searching for something strange. I've passed chkrootkit
    and rkhunter and i am passing ethereal looking smtp traffic by now the
    only strange thing i see is than one i put down. first packet is a
    conexion from port 25 of my server to port 80 of a remote host (it seems
    hotmail), the other are conections from port 80 on the remote host to
    port 25 of my server... it seeems the samen packet sent 6 times.
    i've no idea what it may be. any help?

    TIA


    No. Time Source Destination Protocol
    Info
    1 0.000000 66.90.71.151 192.168.2.2 TCP
    http > smtp [SYN] Seq=0 Ack=0 Win=512 Len=0

    Frame 1 (54 bytes on wire, 54 bytes captured)
    Ethernet II, Src: XnetTech_0a:f1:71 (00:05:1c:0a:f1:71), Dst:
    AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7)
    Internet Protocol, Src: 66.90.71.151 (66.90.71.151), Dst: 192.168.2.2
    (192.168.2.2)
    Transmission Control Protocol, Src Port: http (80), Dst Port: smtp (25),
    Seq: 0, Ack: 0, Len: 0

    No. Time Source Destination Protocol
    Info
    2 0.000134 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 2 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

    No. Time Source Destination Protocol
    Info
    3 3.199040 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 3 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

    No. Time Source Destination Protocol
    Info
    4 9.198076 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 4 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

    No. Time Source Destination Protocol
    Info
    5 21.196145 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 5 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

    No. Time Source Destination Protocol
    Info
    6 45.392243 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 6 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

    No. Time Source Destination Protocol
    Info
    7 93.584482 192.168.2.2 66.90.71.151 TCP
    smtp > http [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

    Frame 7 (60 bytes on wire, 60 bytes captured)
    Ethernet II, Src: AsustekC_a2:00:f7 (00:0c:6e:a2:00:f7), Dst:
    XnetTech_0a:f1:71 (00:05:1c:0a:f1:71)
    Internet Protocol, Src: 192.168.2.2 (192.168.2.2), Dst: 66.90.71.151
    (66.90.71.151)
    Transmission Control Protocol, Src Port: smtp (25), Dst Port: http (80),
    Seq: 0, Ack: 1, Len: 0

  2. Re: is this an attak?

    On Mon, 20 Mar 2006 19:07:48 +0100, Fernando Peral wrote:


    > i've a mail server behind a nat router (fixed ip) in a network with manu
    > computers. recently sent mail return to me becouse my ip is in a
    > blacklist. i'm searching for something strange. I've passed chkrootkit


    If you are already on a blacklist or blocklist, you may have a hard time
    getting yourself removed from it.

    > and rkhunter and i am passing ethereal looking smtp traffic by now the
    > only strange thing i see is than one i put down. first packet is a
    > conexion from port 25 of my server to port 80 of a remote host (it seems


    It doesn't look that way, but you may have better info on the addresses to
    make you believe that.

    You posted your message from host 134.red-80-32-55.staticip.rima-tde.net
    134.red-80-32-55.staticip.rima-tde.net has address 80.32.55.134.

    The first packet you show has a source address of 66.90.71.151, registered
    with sketchy information in Singapore, is a "SYN" packet seeking to open a
    connection with 192.168.2.2. Full Stop on several accounts.

    1. 192.168.2.2 is part of a reserved range of IP addresses and should
    not be externally routable. In other words, a packet like this sent from
    Singapore or anywhere else outside of your local network should not be
    able to get to your network, let alone to whatever is local at
    192.168.2.2. And if it did somehow get to your external interface, your
    firewall(s) should block it. It is possible that this "SYN" traffic was
    either generated on a machine (computer, router, switch, printer, etc.) on
    your local network, or else passed through them from outside.

    2. Unless you are planning to run a public mail server, your mail
    software should itself be configured to accept connections _only_ from
    your internal network. In any event, connections should be accepted only
    from addresses that you enable, and/or with other means of authentication
    in place. All mail going through your server should be logged and
    traceable.

    You should check your firewall(s) to see that they are indeed rejecting
    outside traffic to your mail server port 25 (or whatever you want to use
    for it). You should check the routing tables at least from your mail
    server to the external interface to see if connections to 66.90.71.151 are
    being sent to an internal location.


    > hotmail), the other are conections from port 80 on the remote host to
    > port 25 of my server... it seeems the samen packet sent 6 times. i've no
    > idea what it may be. any help?
    >
    > TIA


    The last 6 packets are your machine at 192.168.2.2 answering [ACK] the
    initial SYN packet, and trying to establish a handshake with that packet's
    source.

    Good luck.
    [Refer to original message for data]

+ Reply to Thread