lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1072825768.2204.730.camel@localhost>
From: dan at losangelescomputerhelp.com (Daniel H. Renner)
Subject: RE: Reverse http traffic

Thank you for your reply James - I've put my answers below yours:

On Tue, 2003-12-30 at 14:18, James C Slora Jr wrote:
> Daniel H. Renner wrote Tuesday, December 30, 2003 15:33
> 
> > I had a case recently wherein one of a client's systems 
> > (Win2k) could not access http, or mail traffic.  At the same time, 2 other
> systems
> > (Win95 and Xandros) could, and yet he could access all of the 
> > other network shares via TCP.
> <snip>
> > I then installed a Linux firewall on a spare computer, 
> > replaced the Linksys router with it and instantly his Win2k 
> > was able to browse and get email.
> 
> This sounds like it was a config problem on the Linksys router - dmz setup
> or port forwarding or something. 

Could have been, but it was set for DHCP, and any other computer on the
LAN had no problem, and there was no dmz or port-forwarding setup in the
router.

>  
> > I checked the firewall logs and saw quite a few attempts from 
> > a Google IP address (whois-ed, but I'm not ignoring that it 
> > was possibly spoofed) that was sending IN traffic with a 
> > source port of 80 and a destination port in the temporary 
> > range (33xx) - eh???
> 
> Which firewall logs and what time frame? The Linksys before the switchout,
> the Linux-based firewall after the switchout, or something else?

My appologies, since I never considered the Linksys/DLink/etc. routers
to be firewalls I've not addressed them as such - but I see others do
(remind self that other's terminologies must be used when talking to
them... :)

The firewall in question is an IPCop machine (this is a fork of the
Smoothwall firewall project - www.ipcop.org) with no DHCP server,
port-forwarding or HTTP proxy running - just a plain brown box...  The
incomings I saw were within approx. a 1-minute timeframe.

> 
> A lot of things could cause incoming 80 -> 33xx traffic, most of them
> benign. Do you have any packet captures with flags and ACKs, etc? Were the
> mystery packets directed to the problem machine or to the router address?
> Can you give more details about which machines have private addresses and
> which have public Internet addresses? Was the Linksys firmware up to rev?
> 

Unfortunately I am still enough of a Linux newbie that I have not
figured out how to add a sniffer into IPCop (I could install ntop
though...) but according to the firewall logs the traffic was pointed to
the external NIC on the IPCop computer specifically which is the only
public IP address on the LAN.  All others are behind the IPCop's
internal/private IP addressed NIC, and there is no DMZ NIC on the
system, nor is it setup software-wise for one at the moment.

Also, all 6 updates of IPCop had been performed on the machine before
installation.

If what could cause this sort of traffic is "mostly benign" then I'll
have my goose-pimples set to "chill" - if not, then I'm still in "Eh?"
mode...


-- 


Thank you,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ