Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible attack or what ?

from [Yuri Gushin] Network Security [Permanent Link]
Subject: Re: Possible attack or what ?
Date: Fri, 10 Dec 2004 00:02:51 +0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

There are several backdoors out there which are listening on port 1111
TCP/UDP, it could be simply a bot (a backdoored host) checking your ip
range for the same backdoor, or an attacker, while spoofing it's
source IP address, the fact that the backdoor (assuming that's the
case) tries TCP first shows us that the backdoor itself will probably
not insist on establishing a full TCP handshake (by playing with the
kernel internals on the target OS) & just pick command-execution data
straight of the IP datagram from a predefined spot, then it retries
with UDP which is both unreliable (from the security point of view)
and most of the times "left out" when people define their firewall
rules - most servers will simply not filter UDP traffic.

How it could be done you ask, google for hping, and port 1111 :)

Regards,
~    Yuri.

STANESCU Ionut wrote:

| Hi,
| | I have a small network protected by a screener router (or a single
| bastion host) represented by a CISCO 3645 router , latest IOS installed.
| | This perform a basic PAT from inside to outside, standard schema.
| | Behind it is a small number of Windows XP's with SP1 and SP2, all of
| them with microsoft firewall activated.
| | These are configured for different purposes, one of them is client
| for eMule network.
| | Because eMule it is client server arhitecture and I have a single
| routable IP address, i have defined in my router configuration, for
| eMule Hi ID option different static routes with different tcp ip
| internal ports.
| | For a while i have discovered in my syslog daemon that kind of messages:
| | "
| list 101 denied tcp 10.1.141.53(4814) -> <my external ip>(1111)
| list 101 denied tcp 10.1.178.197(3926) -> <my external ip>(1111)
| list 101 denied udp 10.1.201.48(3306) -> <my external ip>(1111)
| | "
| | THis ip class it is private, so I undestand that is a try of mapping
| my protected network, but how this guy do that ?
| | Could you help me to undestand better this mechanism ?
| | Thank you.
|
| Ionut Stanescu
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBuOerAFGyzvzhASERAjZjAKDPa+dbPQs1wvluTycZM1982Z2+bQCfc8zS
1UY7UNrqojCEY4jFPOx02Gw=
=lRJl
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Possible attack or what ?, J. Oquendo
Next by Date:  Re: Firewall Comparison Matrix, cacophony
Previous by Thread:  Possible attack or what ?, STANESCU Ionut
Next by Thread:  Re: Possible attack or what ?, J. Oquendo
Indexes:  [Date] [Thread] [Top] [All Lists]