lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20131206130909.8C28920115@smtp.hushmail.com>
Date: Fri, 06 Dec 2013 06:09:08 -0700
From: silence_is_best@...hmail.com
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: China's tool of the year

Hey Kids!

Let's have some fun with kernel firewall logs shall we?  Take November
for example:

egrep -o "SPT=[0-9]{1,5}" 00.01.03-12.01.2013-messages | sort -n |
uniq -c | sort -rn | head -n 20

    898 SPT=6000
    273 SPT=80
    215 SPT=443
     81 SPT=39401
     59 SPT=53
     48 SPT=16387
     44 SPT=3074
     41 SPT=21032
     39 SPT=45682
     36 SPT=5070
     36 SPT=43295
     36 SPT=36490
     30 SPT=4935
     27 SPT=33715
     26 SPT=7778
     25 SPT=5371
     23 SPT=12212
     21 SPT=8877
     20 SPT=8458
     20 SPT=5971

Now we can douche out 80 and 443 since these are most likely RST
packets from web sites.  So what's the deal with 6000?  That my
friends is China's scanning tool!  How do we know?  Cause we look at
the DPT :)

egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o
"DPT=[0-9]{1,5}" | sort -n | uniq -c | sort -rn | head -n 20

    309 DPT=1433
    285 DPT=22
    118 DPT=3306
     87 DPT=3389
     27 DPT=8080
     13 DPT=80
     12 DPT=4899
      5 DPT=135
      4 DPT=8009
      4 DPT=1998
      3 DPT=65500
      3 DPT=5900
      3 DPT=1521
      2 DPT=8081
      2 DPT=2967
      2 DPT=1000
      1 DPT=8888
      1 DPT=888
      1 DPT=8088
      1 DPT=7777

Gee....MSSQL...SSH...MySQL...RDP...yea these are legit 8-|.  So let's
just look at the top few source IP's:

egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o "SRC=.*DST" |
sed -e 's/SRC=//' -e 's/ DST//' | sort -n | uniq -c | sort -rn | head
-n 20

     30 61.147.103.144
     17 222.189.239.10
     17 182.118.38.243
     15 222.175.114.134
     15 117.34.78.197
     14 61.147.113.93
     12 61.147.116.8
     11 61.147.113.77
     11 59.53.67.154
     11 124.232.147.202

Well what do you know....EVERY SINGLE SWINGING one is from China :) 
Solutions?  Block source port 6000 at the perimeter?  Maybe..or maybe
just monitor for a month and see how much legit traffic comes through
on that port.  That's all for now...enjoy.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ