I'd guess someone is tryng to exploit you.  I'd say let it through and,
on your firewall, route it to a blackhole.

Gabe

On Wed, Nov 22, 2000 at 08:19:35AM -0600, Clay Fandre wrote:
> I'm getting tons of denies on my firewall/Masq box on my DSL line which
> is using IPChains to filter out almost everything. I want to make it
> stop because it's filling up my logs. (No, I don't want to turn of
> logging) I'm assuming it's doing a DNS query since it's coming from port
> 53, but don't really know why. My firewall box is a DNS server, but only
> for my internal non-routable network. Anyone have any ideas?
> 
> Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64810 F=0x0000
> T=47 (#32)
> Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64811 F=0x0000
> T=47 (#32)
> Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64812 F=0x0000
> T=47 (#32)
> Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64813 F=0x0000
> T=47 (#32)
> Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64814 F=0x0000
> T=47 (#32)
> Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1
> PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64815 F=0x0000
> T=47 (#32)
> 
> This has been going on for a few days now and my log files are growing.
> Any idea what the ch top-level domain is? Any idea what it's doing? I
> assume it's trying to resolve an address of mine, but I'm blocking it.
> Why doesn't it time out?
> 
> 
> After a little bit of investigation I find out it's a SuSe Linux box and
> has a LOT running. There's got to be a exploit in here somewhere...
> # nmap -O -sS -v -v smtp.bycom.ch
> 
> Starting nmap V. 2.12 by Fyodor (fyodor at dhp.com, www.insecure.org/nmap/)
> Host smtp.bycom.ch (217.24.32.10) appears to be up ... good.
> Initiating SYN half-open stealth scan against smtp.bycom.ch
> (217.24.32.10)
> Adding TCP port 139 (state Firewalled).
> Adding TCP port 22 (state Open).
> Adding TCP port 53 (state Open).
> Adding TCP port 21 (state Open).
> Adding TCP port 25 (state Open).
> Adding TCP port 138 (state Firewalled).
> Adding TCP port 110 (state Open).
> Adding TCP port 80 (state Open).
> The SYN scan took 9 seconds to scan 1483 ports.
> For OSScan assuming that port 21 is open and port 38683 is closed and
> neither are firewalled
> Interesting ports on smtp.bycom.ch (217.24.32.10):
> Port    State       Protocol  Service
> 21      open        tcp        ftp
> 22      open        tcp        ssh
> 25      open        tcp        smtp
> 53      open        tcp        domain
> 80      open        tcp        http
> 110     open        tcp        pop-3
> 138     filtered    tcp        netbios-dgm
> 139     filtered    tcp        netbios-ssn
> 
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=2124463 (Good luck!)
> 
> Sequence numbers: C11B739 C6C2B3E CCCC545 C94066C C82B80A CEBC354
> Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 -
> 2.2.2
> OS Fingerprint:
> TSeq(Class=RI%gcd=1%SI=206AAF)
> T1(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW)
> T2(Resp=N)
> T3(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW)
> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
> PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
> 
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
> 
> # telnet smtp.bycom.ch 25
> Trying 217.24.32.10...
> Connected to smtp.bycom.ch.
> Escape character is '^]'.
> 220 ns1.bycom.ch ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; 
> 
> # telnet smtp.bycom.ch 110
> Trying 217.24.32.10...
> Connected to smtp.bycom.ch.
> Escape character is '^]'.
> +OK QPOP (version 2.53) at ns1.bycom.ch starting. 
> <24291.974902011 at ns1.bycom.ch>
> Wed, 22 Nov 2000 15:04:25 +0100
> 
> # ftp smtp.bycom.ch
> Connected to smtp.bycom.ch.
> 220 ns1.bycom.ch FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready.
> Name (smtp.bycom.ch:):
> 
> # nslookup - smtp.bycom.ch
> Default Server:  smtp.bycom.ch
> Address:  217.24.32.10
> 
> > ls bycom.ch
> [smtp.bycom.ch]
>  bycom.ch.                      server = ns1.bycom.ch
>  bycom.ch.                      server = pdc.bycom.ch
>  bycom.ch.                      217.24.32.11
>  bycom.ch.                      217.24.32.19
>  bycom.ch.                      217.24.32.139
>  bycom.ch.                      217.24.32.12
>  bsl-du-l9                      217.24.32.88
>  bsl-bsl-dt00-loc               217.24.32.112
>  smtp                           217.24.32.10
>  bsl-bsl-st00-loc               217.24.32.110
>  bslst00                        217.24.32.145
>  bsl-wlf-pk00-loc               217.24.32.2
>  bsldt00                        217.24.32.140
>  bslma00                        217.24.32.169
>  bslut00                        217.24.32.141
>  bslgs00                        217.24.32.18
>  bslad100                       217.24.32.156
>  bslgs01                        217.24.32.21
>  bsl-du1                        217.24.32.79
>  mail                           217.24.32.10
>  bslad300                       217.24.32.157
>  bslsh00                        217.24.32.146
>  bslpk00                        217.24.32.185
>  bslme00                        217.24.32.154
>  pdc                            217.24.32.11
>  pdc                            217.24.32.139
>  bsltb00                        217.24.32.148
>  bslrr00                        217.24.32.150
>  gc._msdcs                      217.24.32.139
>  gc._msdcs                      217.24.32.11
>  bslpdc                         217.24.32.12
>  ns1                            217.24.32.10
>  bslbkp00                       217.24.32.19
>  bsl-wl-dt00                    192.168.0.111
>  bsl-du-l10                     217.24.32.89
>  bsl-du-l11                     217.24.32.90
>  bsl-du-l12                     217.24.32.91
>  bsl-du-l13                     217.24.32.92
>  bsl-bsl-uu00-loc               217.24.32.1
>  bslprt1                        192.168.0.200
>  bsl-du-l14                     217.24.32.93
>  bsl-du-l15                     217.24.32.94
>  bslprt3                        192.168.0.202
>  bsl-pdc                        217.24.32.152
>  bsl-du-l16                     217.24.32.95
>  bsl-du-l17                     217.24.32.96
>  bslprt5                        192.168.0.204
>  bslem00                        217.24.32.158
>  bsl-du-l18                     217.24.32.97
>  bsl-du-l20                     217.24.32.99
>  ts00                           217.24.32.15
>  bsl-du-l19                     217.24.32.98
>  bsl-du-l21                     217.24.32.100
>  bsl-du-l22                     217.24.32.101
>  bslad200                       217.24.32.153
>  bsl-du-l23                     217.24.32.102
>  bsl-du-l24                     217.24.32.103
>  bsl-du-l25                     217.24.32.104
>  bsl-du-l26                     217.24.32.105
>  bsl-du-l27                     217.24.32.106
>  bsl-du-l30                     217.24.32.109
>  bsl-du-l28                     217.24.32.107
>  wlf-wl-pk00                    192.168.0.110
>  bsl-du-l29                     217.24.32.108
>  sirdir-piiid                   217.24.47.40
>  bsl-bsl-dt00-rem               217.24.32.113
>  abcfs00                        217.24.32.16
>  bslad400                       217.24.32.159
>  bsl-bsl-mci00                  217.24.32.1
>  bsl-wlf-pk00-rem               217.24.47.33
>  bsl-wl-bc00                    192.168.0.100
>  bsl-wl-bc01                    192.168.0.101
>  www                            217.24.32.14
>  bslrc00                        217.24.32.155
>  bslmf00                        217.24.32.143
>  bsl-du-l1                      217.24.32.80
>  bsl-bsl-me00-loc               217.24.32.111
>  bsl-du-l2                      217.24.32.81
>  bsl-du-l3                      217.24.32.82
>  bsl-du-l4                      217.24.32.83
>  bsl-du-l5                      217.24.32.84
>  bsl-du-l6                      217.24.32.85
>  bsl-du-l7                      217.24.32.86
>  bsl-du-l8                      217.24.32.87
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list

-- 
--------------------------------------------------------------------------------
Gabe Turner				       |  	   X-President,
UNIX Systems Administrator,		       | Assoc. for Computing Machinery
U of M Supercomputing Institute for	       |    University of Minnesohta
Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu

"Oh my beloved ice cream bar!! How I love to like your creamy center!
 Howm!  Howm!  Howm!!  And your oh-so-nutty chocolate covering!!"
				       - Commander Hoek (Ren) in "Space Madness"
--------------------------------------------------------------------------------