A portscan trojan that persists after reloading with linux instead of Vista?

BAlfson · #1 (**permalink**) 05-15-2009, 03:35 PM

Something inside the network is doing portscans outside the network:

Code:

2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="85.86.106.91" proto="17" length="61" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="57455" 
2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="69.243.15.69" proto="17" length="62" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="16774" 
2009:05:14-13:37:47 post ulogd[2990]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth0" outitf="eth0" dstmac="zz:zz:zz:zz:zz:zz" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.111" dstip="72.188.102.64" proto="17" length="63" tos="0x00" prec="0x00" ttl="63" srcport="26493" dstport="59201"

This is an interesting situation...

The laptop at 10.x.x.111 seems to have had this problem since 4/24 when it was loaded with Vista. The programmer erased and reloaded Vista twice, then, frustrated, erased the disk again and loaded it with linux.

When the IP on the laptop changes, the srcip changes to the new IP, but the srcmac always matches to the External Astaro interface and dstmac always matches to the Internal interface.

Anyone have any suggestions?

Cheers - Bob

BAlfson · #2 (**permalink**) 05-15-2009, 04:00 PM

The other interesting phenomenon concerns another laptop (yes, two devices that are heavily used "outside" of the protection of the Astaro). About once a week, when this second laptop is connected via L2TP over IPsec, it portscans 255.255.255.255 then the IP of the Windows 2003 Small Business Server and finally, the IP of the multi-function device used to scan to email.

Code:

/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:44 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="00:00:00:00:00:00" srcip="10.x.x.51" dstip="255.255.255.255" proto="17" length="269" tos="0x00" prec="0x00" ttl="128" srcport="138" dstport="138" 
/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:45 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.7" proto="17" length="269" tos="0x00" prec="0x00" ttl="127" srcport="138" dstport="138" 
/var/log/ips/2009/05/ips-2009-05-09.log.gz:2009:05:09-07:27:46 post ulogd[3016]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="ppp0" outitf="ppp0" dstmac="00:00:00:00:00:00" srcmac="yy:yy:yy:yy:yy:yy" srcip="10.x.x.51" dstip="10.x.x.45" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="51814" dstport="161"

No other desktop or laptop IP appears in the IPS logs.

Cheers - Bob

Kingbuzzo · #3 (**permalink**) 05-15-2009, 04:52 PM

I had a similar issue but it turned out to be McAfee SCP.

Figures he would blame Vista.

Maybe he has a stealthy rootkit or the notebook comes with its own tracking security software.

BAlfson · #4 (**permalink**) 05-15-2009, 05:01 PM

As the events in the first post were occuring, the following appears in the Packet Filter log. 10.x.x.34 is the IP of the Astaro's Internal interface. x, y and z are used consistently in all three posts.

Code:

13:37:47 Packetfilter rule #15 TCP 10.x.x.111 : 60646 → 134.34.103.77 : 26285 [SYN] len=60 ttl=63 tos=0x00  srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 194.165.188.76 : 12350 len=82 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 67.82.232.66 : 20772 len=50 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 190.10.171.74 : 2168 len=50 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 76.109.56.53 : 45417 len=96 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 201.29.233.209 : 19636 len=72 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 97.89.187.177 : 56315 len=72 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 129.123.92.44 : 31050 len=63 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 88.85.132.142 : 37669 len=63 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:47 Packetfilter rule #15 UDP 10.x.x.111 : 26493 → 82.251.213.46 : 55648 len=60 ttl=63 tos=0x00 srcmac=yy:yy:yy:yy:yy:yy dstmac=zz:zz:zz:zz:zz:zz
13:37:48 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz
13:37:50 Default DROP UDP 10.x.x.111 : 37908 → 10.x.x.34 : 5351 len=40 ttl=64 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=zz:zz:zz:zz:zz:zz

Any suggestions (I mean other than scrubbing every box that's done a portscan

)?

Cheers - Bob