What is the Pattern here ?


This is a piece of my Log and would like some comments of the patterns of hits it logged. I keep seeing the same Ports hit in the same order every time with a NetBIOS or other probes added in the end from time to time.

All IP's I checked so far come back to Dialup Accounts although I didn't check the 445 and ICMP hit IP's.

7/29/04 12:25:16 Rule "Block ICMP Inbound (Echo Request) " blocked (,8). Details: Inbound ICMP request Local address is (-) Remote address is ( Message type is "Echo Request" Process name is "N/A" 7/29/04 12:21:09 Rule "Default Block Sokets de Trois v1. Trojan" blocked (-,5000). Details: Inbound TCP connection Local address,service is (-,5000) Remote address,service is (,4602) Process name is "N/A" 7/29/04 12:16:07 Rule "?Default Block MyDoom Ports 3127-3198
Reply to
Loading thread data ...

It's a pretty strait forward question and yes I do understand the output but either you don't understand the question or you don't understand the Output.

The Log speaks for itself and is why I didn't go into detail.

Your reply appears to be Trollish in looking to insult the poster from the get go.

If this wasn't your intent I'm sorry but if it was then Kill File will soon have you talking to yourself.

The Question was "What is the Pattern the Log shows" ?

You can see the Probes on 4 or 5 ports 3x on each one, one after the other by the same IP that is the Pattern in the Log.

There are others that show a small group of 2 to 4 IP's doing it together but I'm not sure that one of those types of probes is in this Log I Posted.

And they are ALL Dial-Up Accounts !

At first I thought they were Zombies probing Server Ports for other Zombied DNS or Web Servers with low TTL's but now they're hitting Ports up to 60,000 at times.

However most are the same probed ports day after day.

2745 5000 6169 3127 80 139

Sometimes I see port 445 or an ICMP block at the beginning or end with the same IP but this is rare and has nothing to do with the pattern.

There is one IP that comes back to my area that probes me every day that must do whole IP Blocks because I'm a Dial-up too with the same ISP.


If I do a DNS, Traceroute, and NetBios ect... in return they drop the connection but come back with a new IP to probe again. Most times after I do the Traces they can detect they go away for hours.

These must be Zombied Machines because this is every day all day but the way they act when I probe back makes me wonder if they are Zombies. And the fact I see the same ATT Dial-up IP's from cambridge, pitsburg and NJ.

Almost all are ATT but some are not. And when they do it as a group there are like 2 to 4 att and 1 to 3 non att.

I've also seen other probers (don't think they are the same ones) that think I'm running a Lenix Box by the ports they sometimes probe looking for a specific venerability.

But they give up and go away where these others don't.


Reply to

Yeah. Read this

formatting link

Reply to

Why do install a piece of software though you don't understand its output?


Reply to
Wolfgang Kueter

Why is it being logged?

Yes, you are seeing some of the millions of fools running a computer that got infected because they are to f*cking stupid to be using something as complicated as a digital watch, nevermind a computer.

[compton ~]$ grep '^7' /var/spool/news/news/comp/security/firewalls/206285 | sed 's/^7.*Rule/Rule/' | sort -u Rule "> Block Bagle/Beagle/Tanx" blocked (-,2745). Rule ">Default Block Kaung 2 The VirusDefault Block Port 445 Microsoft DSDefault Block711 Trojan Port 80 httpDefault DameWare Buffer overflow ExploitDefault Block Port 445 Microsoft DS
Reply to
Moe Trin

This pattern characterizes the Virus/Worm Agobot/Gaobot.

Lots of infected machines out there, indeed.

Reply to
Jens Hektor

Could they be looking to compromize Web Accellerators that are nothing more than Web Servers added by some ISP's ? If so this could explain the DNS and Web Server Zombies with low TTL's used by Spam Websites.

Keeping them out of my Machine is not hard but trying to figure out what it is they are trying to do in a bigger picture is. Thanks, I'll look up Agobot/Gaobot. I didn't see those on my prepost searches on those ports.


Reply to

A pattern of Ports over and over that are all Dialups but I don't think they are all Zombies by the reaction I get when I probe back at them. The may still be Zombies but sometimes they go away or disconnect and sometimes they step up their probes.

I suspect it may be more than just that. I was hoping the Ports would point to these Zombies looking to each other so often since the TTL's are so low. The Web Accelerators that are mini Web Servers may be Hacked through Web Pages, Gif, Jpg, or Email. They can then use them as DNS and Web Servers with low TTL's to hide their Spam Websites. Could this Pattern I'm seeing be those very Zombied Servers with low TTL's ?

Reply to

I hope you keep all the logs, both of these "attacks" and your retaliation, so that when someone _you've_ probed complains, you can sound like a five year old kid by saying "he started it". Don't be surprised if that "excuse" doesn't work. By the way, here's one of the options out of a commonly used network analysis tool:

-D Causes a decoy scan to be performed which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were inno- cent decoys.

That option has been in that tool for more than three years. Later versions have several even more "interesting" options.

So, you've never heard of 'honeypots'. And what do you think if some of the hosts you probe are operated by people who respond the way you do? There are also "firewall tools" that can be set yo automagically add an "attacking" host to a "block" rule - though I feel that's a good way to open yourself up to denial of service attacks.

Re-read what I wrote.

Your logs didn't show TTL data, but what are you describing as low? Remember that TTL values tend to have moderately high starting values, but these can be altered or set by the application doing the scan,

[compton ~]$ grep -v '^#' /etc/p0f/p0f.fp | grep -v '^ *$' | grep -v '^$' | cut -d':' -f2 | sort | uniq -c | sort -n +1 8 32 11 60 130 64 42 128 32 255 [compton ~]$

'p0f' is a fairly nice Passive Operating system Fingerprinting tool. I'm not really sure if there is a windoze version. The database I looked at above shows characteristics of 223 O/S and scanning programs. That string of commands I ran show that the most common starting TTL is 64, but others in the range of 32 to 255 are also seen. This obviously ignores protocols and services thaat have a TTL of 1, to keep them on a local network, or applications like traceroute or clones that work by setting TTL, and looking for ICMP Type 11 (time exceeded) responses.

Why do you feel that having low TTLs hides things? All it does is limit the range of sites able to connect/resond to them. If you wanted to connect to this host, but set the TTL in the packet to anything less than

5, you're not even going to make it from our border gateway to here, nevermind the ten to twenty _EXTRA_ hops from your ISP to my upstream.

You also appear to be misunderstanding how DNS operates. A quick tutorial can be found in Section 5.1 of the DNS-HOWTO which you can find at

formatting link
For more details, see the O'Reilly book "DNS and BIND" (ISBN 0-596-00158-4 US$45), though it's probably far beyond your needs.

You probably shouldn't be blocking ICMP Type 3 (unreachable), but it's your system, not mine.

You are a dialup. The ONLY service you should have open to the world is authd (or identd) on port 113, and that only if you know sites that you visit need it. This means you don't need to be blocking access to your port 80 (for example), because if you don't run a server on that port, there is nothing there to exploit. For the rest of the _inbound_ stuff, your firewall need only answer one question. "Is this packet a response to something I sent out?" If the answer is no, THEN DROP THE PACKET AND GET ON WITH YOUR LIFE. Outbound rules are a little harder, and must be tailored to what you are doing on the computer. Using the web browser? That means 80 and maybe 443 outbound (or 8080 if using a proxy). Getting news? That's port 119, and you can probably restrict that to the address of your ISP's news server. Receiving mail? That's ports 109, 110, or

443 depending on the protocol used (POP-2, POP-3, IMAP), and you can restrict that to the address of your ISP's mail server. On the other hand, if you are typing a URL into an address field, you are _PROBABLY_ using some web (port 80 or 8080 or 443) server rather than the real thing. Obviously, any internet application needs access to your ISP's name servers because packets are sent to IP addresses, not names.

'Block all' should be the default and always on. Remember, you only use the default when an earlier rule (permit foo) does not exist. Thus, a rule to 'block bar' is unneeded, because it doesn't make a difference _where_ in the ruleset it's blocked, just so long as it _is_ blocked.

Block All Rule should be set to Ignore when you are not debugging a connection problem.

Are you saying 'Block All' doesn't mean Block _ALL_ ??? What happens if someone sends you a protocol Type 2 (IGMP) or Type 92 (MTP) packet? Does your firewall toss up it's hands and go into the corner to cry?

Why do you care? The firewall blocked it. Anything else you may do is just wasting CPU cycles, and not providing a useful service to you.

Reply to
Moe Trin

Interesting tool, not something I think I need but I like to check it out anyway, thanks. Yes I have Logs going back a few years. And I've sent my Logs to my ISP who is also their ISP several times before I started probing back. And when I say probe I mean with a Dos Batch File (PCHelp's Trace.bat). I have another copy I added features to like the old Finger, Dig and more. But haven't run that one on them yet.

If they are Honeypots they are broken. Why are they activly probing me ? I didn't probe them and many time I Ignore them for hours before I check them out. And they are all Dialup Accounts.

I wonder if the Web Accellerators that are nothing more than Servers are being abused by Spammers. That would explain all those Zombies with DNS and Web Servers on them with low TTL's to hide the Spammer's Webpage without the User knowing he's a Zombie.

I did and I should have added that was true but MS leaving the door open by default deserves some of the blame too. I should have worded that better, sorry.

I had to turn off type 11 because it kept driving me nuts. The reason I talked about the DNS and Web Server Zombies is I helped som,eone else with a Spam to trace the Website. But every 5 min it changed IP's and listed 5 at a time. We traced the main DNS Server controlling them but most wouldn't catch on to that.

The low TTL is because the Zombies go on and off line quite often and is why there are several IP for each Website that changes very quickly. I think the Trojan (Migmaf) is used for this. The Zombie DNS Name Servers points the Traffic to the Active Zombie Web Servers. Dragonkill.com. I think was the main server.

I think I found it again.

formatting link

True !

I allow it for my ISP only at the moment but am still undecided about that as I can block that with no effect. I've read pro's and con's on it and haven't made up my mind about it.

Yes and they do. I have no problem with auth, pop, smtp, 80, 8080. ect... The Port 443 I block. I have rules for everything you listed but don't bother to log them after they are set up and sure they do what they are supposed to. Not sure what your point is but I may not have been clear on the allowed rules before.

I always use a Block all except when adding a new App that requires a lot of rules. Even with this feature off I keep the Block All at the end of the List. AtGuard required this but Norton buries this in the help files.

Correct too.

No the Block All (UDP/TCP) works. Without the Block All and the Rules Assistant on sometimes a UDP drops through the list and no action is logged. At least that's what it says in the help files and I've seen it do that once using a log rule at the end of the list.

And my other ICMP Block All works as well and I should have defind that for you before, sorry.

Why not have a info box to list what uses that service both good and bad ? Just like some Files when you click Properties and you get the info Tab.

Reply to

There have been win32 versions for at least several of the last releases.

Not impossible

How do you know they aren't being spoofed, and you are doing the "attack" of their real target for them.

Given that nearly all dialup hosts are run by people who shouldn't be using a computer - I'd certainly believe it. Last I looked at my spam email logs, a third of the spam was coming from r00ted windoze boxes on Comcast and ATT, and only a tiny fraction from professional spam servers in .cn, .it, or .kr.

They are just doing what the sheep that buy it want. A _very_ large percentage of windoze users don't want to know anything, and even the smallest security function that gets in the way of these fools clicking on some icon (about half of which don't even know what the icon means), annoys them. That's why microssoft has included the options of "remember my password", and open (or install) everything by default without asking me stupid questions. It's obviously an enormous security hole, but the sheep don't know (or want to know) or care.

Why bother? Block the stuff and ignore it.

No, but it would waste a lot less of your time, CPU cycles, and diskspace.

Are you sure about that? You might want to run a sniffer while using those tools, and see where the packets are going. Remember, 53 is DNS, and 43 is whois. Neither service found on port 80 of some server.

NSA recommends denying echo, redirect, and netmask, and allowing the rest.

formatting link
I disagree, suggesting that you allow

0, 3, 4 and 11 INBOUND, 3, 4, and 8 OUTBOUND, while denying all else. Some may consider type 4 (Source Quench) as undesirable (possible DOS). YMMV
[compton ~]$ grep -w 443 rfcs/port-numbers https 443/tcp http protocol over TLS/SSL https 443/udp http protocol over TLS/SSL [compton ~]$

Inbound, I'd agree, as you are not running a Secure web site, but outbound? Why?

That's the difference in philosophy between a so-called personal firewall and a real firewall box. We don't worry about applications needing specific access, because we only look at the service and protocol involved. We also don't install rouge applications.

[compton ~]$ egrep '(icmp|tcp|udp)' /etc/protocols icmp 1 ICMP # internet control message protocol tcp 6 TCP # transmission control protocol udp 17 UDP # user datagram protocol [compton ~]$

That's great, but protocol 6 is not protocol 17, is not protocol 2 or any of the other 135 protocols that can be carried in an IP frame. See

formatting link

As long as it's dropped, and no one on the inside of the firewall is not complaining about broken services, then that's fine.

If you have nothing better to do than to look at each and every packet you see - that's fine. People like me don't have time for that.

You forget that not all of us are running windoze. This system doesn't have a single icon, menu bar, or similar in sight. Or do you think those commands I've been showing are from some exotic section of windoze that you haven't seen before?

Old guy

Reply to
Moe Trin

These are all Dialup Connections that I had no connection with at the time.

True and one of the reasons I asked in this NG if there was a pattern here that could show this or other possibilities. I only do the one scan back and only when the same IP hits me over and over again. They Scan the same Ports 3 times each (2745, 5000, 6129) every few minutes. The Scans usually stop right away or soon after (to complete the Scan Pattern) and don't return with that IP. They sometimes run NetBIOS at the end of a scan after I probe back but lately I've seen them using it at the end of their Scans that they never did before even when I don't probe back.

Doesn't surprise me and I have ATT. The ATT Web Accelerator is like a Web Server and I think could be abused to Host Zombie Web and DNS Servers for Spammers and Crackers.

Many Sheep didn't have a choice because all the new software was comparable only with Windows for the home user. Those of us that wanted to sick with DOS were left high and dry for a long time. But the worm turns. Now Security and Stability have become more of an Issue today and that's come back to bite MS in the butt.

I did but I changed ISP's and turn everything on to see what it's doing. (Why I don't like the ATT Web Accelerator)

Those Rules can be unchecked from the list or I can move the Block All TCP/UDP Rule at the end up above the Trojan List where it won't process them.

I'm not sure why you list port 80 with 53 and 43 ? (I did get a few hits on Port 80 but not sure if it was in the log I Posted and think that only happened once after this.)

A WhoIs uses Whois.exe, Traceroute.exe, Ping.exe, ect... are files and has rules for each in and outbound.

At the moment I only allow Echo Request (out), Reply (in) and Time Exceeded (in). Type 3 I don't think I need and is abused by some ISP's if I remember right.

I added that and a few others to be sure I wasn't sending out and was calling those Dialups to probe me.

I don't have a newtork here and a Router isn't really a firewall but does a good job filling the holes.

Sorry I first read IGMP as ICMP. My Firewall blocks all IGMP.

True and also if I were on a network. I didn't like not seeing it Logged as Blocked or Permitted though. If I didn't have a Log All Rule at the end of the list to see what went by I would never have known that was happening. AtGuard told you about this and suggested a Block All and or a Log Rule at the end of the list. But NIS hid that info in their help files and then you had to read between the lines about adding a Block All Rule since it said some UDP's drop through.

If you have them turned on all the time yes but when you want as much information on a Port's Services and Abuses.

Never liked windows because security and stability was a joke where they are just now starting to address those problems. DOS wasn't as pretty as Windows but it was a lot more stable.

Right after installing Win9x you have 80 plus errors in 90 plus categories in the registry. Installing programs on an unstable OS with that many errors won't show problems right away but... The more Programs you install the greater the load and Stability becomes a problem.

Well looks like your the one I should ask this question to. What OS is best to replace Windows for the home User that may or may not be connected to a network. I see Lindows gaining but with so many from Redhat and others which one is best for home use ?

Another Old Guy !:) Kevin

Reply to

Hi Moe,

I forgot to thank you for your replies in my last post. I should have added I was using Win98se.

Thanks again for your replies.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.