Wednesday, May 6, 2009

Port 6000 Scans

I receive lots of 6000 port scans on my Netgear FVS318 Firewall. My guess is many of you do as well. In changing the Firewall to forward all the ports to an OpenBSD "dummy/honeypot" host, I am able to sniff the packets that come into my WAN (without a tap), thus increasing my information/control over them vs. Firewall syslog output. X11 can be configured with default remote port on 6000.  My guess is I receive a two dozen plus IPs attempting to connect with this port per week:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xl0, link-type EN10MB (Ethernet), capture size 65535 bytes
...
1241648685.844326 IP 218.58.220.130.6000 > 192.168.0.12.2967: Flags [S], seq 1519714304, win 16384, length 0
1241649491.716071 IP 80.13.217.205.6000 > 192.168.0.12.2967: Flags [S], seq 1519714304, win 16384, options [mss 1460], length 0
....
1241653701.125407 IP 221.195.73.68.6000 > 192.168.0.12.7212: Flags [S], seq 1454440448, win 16384, length 0
1241653701.128528 IP 221.195.73.68.6000 > 192.168.0.12.8000: Flags [S], seq 798031872, win 16384, length 0
1241656783.765870 IP 119.161.130.75.6000 > 192.168.0.12.2967: Flags [S], seq 640548864, win 16384, length 0
....

/var/log# grep 119.161.130.75  syslog
[Under FVS318 normal operation]:

May  4 10:45:13 192.168.0.1 rferris [59299]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  4 12:43:54 192.168.0.1 rferris [59342]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  4 17:36:29 192.168.0.1 rferris [59440]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  4 22:28:39 192.168.0.1 rferris [59534]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  5 03:52:54 192.168.0.1 rferris [62240]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  5 09:05:59 192.168.0.1 rferris [64532]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  5 09:05:59 192.168.0.1 rferris Hacker Log[64533]:PROTO_TCP, SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data
May  5 14:36:22 192.168.0.1 rferris [64635]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  5 19:34:38 192.168.0.1 rferris [64831]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  6 00:34:49 192.168.0.1 rferris [70599]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  6 05:22:39 192.168.0.1 rferris [73607]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  6 10:11:50 192.168.0.1 rferris [76793]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  6 14:11:41 192.168.0.1 rferris [76868]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

[With dummy/honeypot host] FVS318 performs as such
May  6 20:15:15 192.168.0.1 rferris [216]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  6 20:15:15 192.168.0.1 rferris Blocked Sites Log[217]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 
May  7 01:04:14 192.168.0.1 rferris [5964]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  7 01:04:14 192.168.0.1 rferris Blocked Sites Log[5965]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 
May  7 05:57:33 192.168.0.1 rferris [10106]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75
May  7 05:57:33 192.168.0.1 rferris Blocked Sites Log[10107]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 

No comments:

Post a Comment