| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 30 Oct 2011 07:31:43 +1100 From: xD 0x41 <secn3t@...il.com> To: "Alan J. Wylie" <shyyqvfpybfher@...ie.me.uk> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: bind-9.8.1 remote code exec exploit? Dude, google 5060 port. your making a meal of this. On 30 October 2011 03:18, Alan J. Wylie <shyyqvfpybfher@...ie.me.uk> wrote: > > nix@...roxylists.com writes: > >> I've been investigating weird iptables messages as follows: >> >> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP DST=62.80.128.29 >> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060 >> LEN=94 >> >> I received a message from my ISP abuse that my server is scanning SIP port >> 5060 and I set the firewall rule to deny/log all UDP connections out of >> the box to port 5060 to get timestamps for further investigation. This >> happened before I set the firewall rule. >> >> /var/log/named.log >> >> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error sending response: host unreachable >> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060: error sending response: host unreachable >> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error sending response: host unreachable >> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060: error sending response: host unreachable >> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060: error sending response: host unreachable >> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060: error sending response: host unreachable >> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060: error sending response: host unreachable >> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error sending response: host unreachable >> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error sending response: host unreachable >> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060: error sending response: host unreachable >> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060: error sending response: host unreachable >> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060: error sending response: host unreachable >> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060: error sending response: host unreachable > > Don't you think that it's a bit of a coincidence that most of those IP > address resolve to a host with "ns" (Name Server) as part of their > hostname? > > $ for x in 193.210.19.19 195.222.32.20 200.63.56.5 202.43.160.50 \ > 202.44.204.36 208.69.35.15 212.59.18.8 213.77.43.115 221.210.153.6 \ > 62.80.128.29 81.25.53.2 84.22.23.4 84.88.226.10; > do > echo -n "$x: "; > dig +short -x $x; > done > > 193.210.19.19: ns6.inet.fi. > 195.222.32.20: ns2.bih.net.ba. > 200.63.56.5: ;; connection timed out; no servers could be reached > 202.43.160.50: ns1.dtp.net.id. > 202.44.204.36: nscache1.nectec.or.th. > 208.69.35.15: m5.ams.opendns.com. > 212.59.18.8: ns.ektra.lt. > 213.77.43.115: 221.210.153.6: 62.80.128.29: ns2.multi.fi. > 81.25.53.2: localns.ultra.net.ru. > 84.22.23.4: 84.88.226.10: dns1.blanquerna.url.edu. > > I note that the IP your e-mail was sent from is 88.195.165.231, ISP > inet.fi and that one of the above hosts is ns6.inet.fi > > There's a nameserver is running on that IP, but is not offering > recursion (good). > > ------8<------8<------8<------8<------8<------8<------8<------8< > $ dig -t any @88.195.165.231 www.google.com > > ; <<>> DiG 9.7.3 <<>> -t any @88.195.165.231 www.google.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 683 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;www.google.com. IN ANY > ------8<------8<------8<------8<------8<------8<------8<------8< > > If you are blocking port 5060, then it is no surprise that DNS lookups > are failing. > > "error sending response" looks like a TCP connection error - DNS usually > uses UDP. I suspect that those IP addresses are doing DNS lookups, > randomly[1] selecting 5060 as their source port, finding no response, > and retrying on TCP. > > [1] random is good - RFC6056, http://cr.yp.to/djbdns/forgery.html > > Everything is looking good on that server with source port 5060 from > here at the moment. Was your ISP previously blocking port 5060, but is > no longer doing so? > > ------8<------8<------8<------8<------8<------8<------8<------8< > $ dig -b 82.68.155.94#5060 @88.195.165.231 www.google.com > > ; <<>> DiG 9.7.3 <<>> -b 82.68.155.94#5060 @88.195.165.231 www.google.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 56850 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;www.google.com. IN A > > $ tcpdump port 53 -i ppp0 > > 17:05:09.897796 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: 56850+ A? www.google.com. (32) > 17:05:09.965868 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: 56850 Refused- 0/0/0 (32) > > ------8<------8<------8<------8<------8<------8<------8<------8< > > $ dig -b 82.68.155.94#5060 +tcp @88.195.165.231 www.google.com > > ; <<>> DiG 9.7.3 <<>> -b 82.68.155.94#5060 +tcp @88.195.165.231 www.google.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46624 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;www.google.com. IN A > > $ tcpdump port 53 -i ppp0 > 17:05:15.286709 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: S 3256494479:3256494479(0) win 14520 <mss 1452,sackOK,timestamp 85574910 0,nop,wscale 4> > 17:05:15.353918 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: S 2117895477:2117895477(0) ack 3256494480 win 5840 <mss 1460> > 17:05:15.353996 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 1 win 14520 > 17:05:15.354280 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: P 1:35(34) ack 1 win 1452046624+ A? www.google.com. (32) > 17:05:15.422648 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: . ack 35 win 5840 > 17:05:15.423125 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: P 1:35(34) ack 35 win 584046624 Refused- 0/0/0 (32) > 17:05:15.423149 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 35 win 14520 > 17:05:15.426007 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: F 35:35(0) ack 35 win 14520 > 17:05:15.493606 IP dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain > wylie.me.uk.5060: F 35:35(0) ack 36 win 5840 > 17:05:15.493685 IP wylie.me.uk.5060 > dsl-tkubrasgw3-ffa5c300-231.dhcp.inet.fi.domain: . ack 36 win 14520 > > ------8<------8<------8<------8<------8<------8<------8<------8< > > > -- > Alan J. Wylie http://www.wylie.me.uk/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists