Archivi tag: portscan

Le crew di smanettoni dell’est

Per quanto riguarda i portscan, psad è veramente una manna dal cielo. Tale applicativo non fa altro che rimanere in “ascolto” sul server in attesa di intercettare eventuali pacchetti inviati ad un range di porte più o meno esteso.

crew,portscan,udp,well known ports,nmap -su,whois,est europa,pbx

Questa mattina, grazie al suddetto tool, ho ricevuto una caterva di email del tipo:

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:56:55 2012 =-=-=-=-=-=-=-=-=-=-=-=

 Danger level: [2] (out of 5)

 Scanned UDP ports: [17565: 1 packets, Nmap: -sU]
 iptables chain: INPUT (prefix "Generic log entry:"), 1 packets

 Source: 188.237.169.123
 DNS: host-static-188-237-169-123.moldtelecom.md

 Destination: 10.*.*.*
 DNS: [No reverse dns info available]

 Overall scan start: Mon Aug 20 08:59:05 2012
 Total email alerts: 9
 Complete UDP range: [1024-17565]
 Syslog hostname: *

 Global stats: chain: interface: TCP: UDP: ICMP:
 INPUT eth1 0 19 0

[+] Whois Information:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '188.237.168.0 - 188.237.175.255'

inetnum: 188.237.168.0 - 188.237.175.255
netname: MOLDTELECOM-NET
descr: JSC "Moldtelecom" S.A.
descr: Chisinau, Moldova
country: MD
admin-c: MLA32-RIPE
tech-c: MLA32-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
remarks: MaxFiber Users, IPMPLS Moldova
mnt-by: MOLDTELECOM-MNT
source: RIPE # Filtered

role: Moldtelecom LIR Adminstrators
remarks:
address: JSC "Moldtelecom" S.A.
address: 10, Stefan cel Mare ave.
address: Chisinau, Moldova
address: MD-2001
phone: +373 22570565
fax-no: +373 22542601
remarks:
admin-c: VSM13-RIPE
tech-c: NM2546-RIPE
nic-hdl: MLA32-RIPE
abuse-mailbox: cert.mtc@moldtelecom.md
remarks:
mnt-by: MOLDTELECOM-MNT
source: RIPE # Filtered

% Information related to '188.237.128.0/18AS8926'

route: 188.237.128.0/18
descr: JSC "Moldtelecom" S.A.
descr: 10, Stefan cel Mare ave.,
descr: MD-2001, Chisinau, Moldova
origin: AS8926
mnt-by: MOLDTELECOM-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS2)

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:56:55 2012 =-=-=-=-=-=-=-=-=-=-=-=

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:59:31 2012 =-=-=-=-=-=-=-=-=-=-=-=

 Danger level: [2] (out of 5)

 Scanned UDP ports: [17565: 1 packets, Nmap: -sU]
 iptables chain: INPUT (prefix "Generic log entry:"), 1 packets

 Source: 176.102.218.106
 DNS: [No reverse dns info available]

 Destination: 10.*.*.*
 DNS: [No reverse dns info available]

 Overall scan start: Mon Aug 20 10:03:03 2012
 Total email alerts: 15
 Complete UDP range: [1024-17565]
 Syslog hostname: *

 Global stats: chain: interface: TCP: UDP: ICMP:
 INPUT eth1 0 32 0

[+] Whois Information:
#
# Query terms are ambiguous. The query is assumed to be:
# "n 176.102.218.106"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=176.102.218.106?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 176.0.0.0 - 176.255.255.255
CIDR: 176.0.0.0/8
OriginAS:
NetName: RIPE-176
NetHandle: NET-176-0-0-0-0
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1993-05-01
Updated: 2010-05-18
Ref: http://whois.arin.net/rest/net/NET-176-0-0-0-0

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: hostmaster@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '176.102.192.0 - 176.102.223.255'

inetnum: 176.102.192.0 - 176.102.223.255
netname: FOBOS-NET
descr: Center for Information Technologies "Fobos" Ltd.
country: UA
org: ORG-FOBO2-RIPE
admin-c: AP7848-RIPE
tech-c: AP7848-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: KUTS-MNT
mnt-routes: KUTS-MNT
mnt-domains: KUTS-MNT
source: RIPE # Filtered

organisation: ORG-FOBO2-RIPE
org-name: Center for Information Technologies "Fobos" Ltd.
org-type: OTHER
address: 39800, Ukraine, Poltavsky reg. Komsomolsk, Lenina str., 40
mnt-ref: vissado-mnt
mnt-by: vissado-mnt
source: RIPE # Filtered

person: Andrew Philonenko
address: Lenina str., 41/185
address: Poltava reg
address: 39800 Komsomolsk, Ukraine
phone: +380633131008
fax-no: +380534830742
nic-hdl: AP7848-RIPE
mnt-by: KUTS-MNT
source: RIPE # Filtered

% Information related to '176.102.192.0/19AS39822'

route: 176.102.192.0/19
descr: FobosRoute
origin: AS39822
mnt-by: KUTS-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS3)

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:59:31 2012 =-=-=-=-=-=-=-=-=-=-=-=

e ancora:

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:45:10 2012 =-=-=-=-=-=-=-=-=-=-=-=

 Danger level: [2] (out of 5)

 Scanned UDP ports: [17565: 1 packets, Nmap: -sU]
 iptables chain: INPUT (prefix "Generic log entry:"), 1 packets

 Source: 178.238.218.219
 DNS: [No reverse dns info available]

 Destination: 10.*.*.*
 DNS: [No reverse dns info available]

 Overall scan start: Mon Aug 20 08:59:30 2012
 Total email alerts: 5
 Complete UDP range: [1024-17565]
 Syslog hostname: *

 Global stats: chain: interface: TCP: UDP: ICMP:
 INPUT eth1 0 15 0

[+] Whois Information:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '178.238.218.0 - 178.238.218.255'

inetnum: 178.238.218.0 - 178.238.218.255
netname: EUROLINK
descr: Eurolink Bt.
country: HU
admin-c: LB1142-RIPE
tech-c: LB1142-RIPE
status: ASSIGNED PA
mnt-by: DENINET-MNT
source: RIPE # Filtered

person: Lorant Budavari
address: WLA Interservices Ltd.
address: Margit u. 114.
address: Budapest, 1165
address: Hungary
phone: +36 1 9994294
fax-no: +36 1 4020274
nic-hdl: LB1142-RIPE
source: RIPE # Filtered
mnt-by: DENINET-MNT

% Information related to '178.238.218.0/24AS33947'

route: 178.238.218.0/24
descr: WLA Interservices Ltd.
mnt-by: WLA-NET-MNT
origin: AS33947
mnt-by: DENINET-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.19.5 (WHOIS1)

=-=-=-=-=-=-=-=-=-=-=-= Mon Aug 20 11:45:10 2012 =-=-=-=-=-=-=-=-=-=-=-=

In soldoni, trattasi di 3 indirizzi IP dell’est Europa, ovvero:

1) 188.237.169.123 (Moldavo);
2) 176.102.218.106 (Ucraino);
3) 178.238.218.219 (Ungherese).

I suddetti portscan hanno come target il protocollo di trasporto UDP e le porte ad esso associate (non well-known, ovvero superiori alla 1023).

Il protocollo UDP viene utilizzato soprattutto nell’ambito del traffico audio/video e dell’instant messaging, poichè, non prevedendo meccanismi di controllo e ritrasmissione, consente elevate velocità di trasferimento.

Ma perchè prendere di mira proprio il suddetto protocollo? Bhè, suppongo per via del fatto che molti PBX VOIP software sono dei veri colabrodo… e che tali PBX usino proprio l’UDP per il trasporto.

La soluzione? 3 regolette da aggiungere alla chain INPUT di netfilter:

sudo iptables -A INPUT -i eth1 -s 188.237.169.123 -j DROP
sudo iptables -A INPUT -i eth1 -s 176.102.218.106 -j DROP
sudo iptables -A INPUT -i eth1 -s 178.238.218.219 -j DROP

Notate che ho parlato di crew, in quanto gli IP sorgenti dell’attacco non presentano servizi pubblicati all’esterno (a parte uno che è in ascolto sulla porta http/https, ma manca la index) e che si tratta molto probabilmente di semplici linee ADSL (un po’ come la nostra Alice). Infine, ad avallare la mia ipotesi vi è anche il fatto che non esistono nomi dominio associati agli IP in questione (a parte l’hostname ADSL).

In definitiva, mailare il loro ISP sarebbe completamente inutile, quindi non vi è (almeno per il momento) soluzione definitiva a questa piaga. Dunque lasciamo fare a psad il suo sporco lavoro ed interveniamo a tempo debito con qualche regola su netfilter.

A presto.