Help against Martian please

Frank duranicub@gmx.net
Sun, 28 Oct 2001 14:43:25 +0100 

It seems really so .... i scanned 192.168.0.2 (the 1 of 2 Clients from his
Network)
and nmap reported 777/tcp    open        unknown
hihi it seems heīs hacked and this funny Thinks wants attacking me too ; -)


--
Frank


From: "Brad Chapman" <kakadu_croc@yahoo.com>

> Mr. Frank,
>
> I'm CC'ing this to netfilter, so that others can benefit from our
> discussion.
>
> --- Frank <duranicub@gmx.net> wrote:
> >
> >
> > From: "Brad Chapman" <kakadu_croc@yahoo.com>
> >
> > > Mr. Frank,
> > >
> > > --- Frank <duranicub@gmx.net> wrote:
> > > > Hallo Mr. Brad
> > > >
> > > > i have an strange and serious Problem since 3 Days constant. I asked
the
> > > > List but no efficient Help
> > > > comes from and i martered Google too. I readed all Sites all
Manpages
> > but no
> > > > Solution was found.
> > > > I hope you can help if you want.
> > > >
> > > > there are 2 Switsches, 2 Persons and 5 Boxes.
> > > >
> > > > Network: 192.168.0./255.255.2550
> > > > 0.10 = Box from my Friend with Iptables and Redhat 7.1  Isdn DialUP
> > > > 0.12 = Box of mine with Iptables and Redhat 7.2 Adsl Dialup but
alway
> > > > connected
> > > > the Rest are Windows Clients and bevore the last 3 Day everything
with
> > us 5
> > > > gone good
> > > >
> > > > Switch1 -----Uplink-----Switch2
> > > >     |                                      |    |
> > > >  0.10                                0.12 adsl
> > > >     |                                      |
> > > > |       |                                  |
> > > > 0.2  0.11                          0.1
> > >
> > > Ummmm.... was it this?
> > >
> > > Switch1 <---> Uplink <---> Switch2
> > >    |       |
> > >    |       |
> > > 192.168.0.10 192.168.0.12
> > >    |       |
> > >    |       |
> > > Frank's network Friend's network
> > >
> > > >
> > > > Only Change was me i think, installed RH7, Kernel 2.4.13 and
Iptables
> > 2.4.4.
> > > > Everything work like ever but new are the Martians to my Syslog
> > > >
> > > > Netstat -nr
> > > > Ziel            Router          Genmask         Flags   MSS Fenster
irtt
> > > > Iface
> > > > 217.5.98.17     0.0.0.0         255.255.255.255 UH       40 0
0
> > > > ppp0
> > > > 192.168.0.0     0.0.0.0         255.255.255.0   U        40 0
0
> > > > eth0
> > > > 127.0.0.0       0.0.0.0         255.0.0.0       U        40 0
0
> > lo
> > > > 0.0.0.0         217.5.98.17     0.0.0.0         UG       40 0
0
> > > > ppp0
> > > >
> > > > netstat -i
> > > > Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP
> > TX-OVR
> > > > Flg
> > > > eth0   1500   0  508901      0      0      0  482306      0      0
> > 0
> > > > BMRU
> > > > lo    16436   0    4123      0      0      0    4123      0      0
> > 0
> > > > LRU
> > > > ppp0   1492   0    3616      0      0      0    2642      0      0
> > 0
> > > > MOPRU
> > > >
> > > > 217.x.x.x is my adsl Range from my ISP
> > > >
> > > > Syslog:
> > > > Oct 28 13:14:04 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:14:04 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:14:05 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:14:05 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:14:06 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:14:06 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:26:10 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:26:10 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:26:11 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:26:11 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:26:12 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:26:12 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:38:17 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:38:17 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:38:18 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:38:18 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > > Oct 28 13:38:19 Frankux kernel: martian source 192.168.0.12 from
> > > > 145.254.202.177, on dev eth0
> > > > Oct 28 13:38:19 Frankux kernel: ll header:
> > > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > >
> > > > 00:e0:7d:01:d5:c9:08:06 = THE MAC OF 192.168.0.10
> > >
> > > OK. Who is 145.254.202.177? It seems to me that either your friend's
> > > system is misconfigured, a M$ Win32 zombie is spewing packets
somewhere,
> > or
> > > else somebody is trying to spoof their way into your network (and
failing
> > > miserably :))))))
> >
> >
> > 145.254.202.177 is the Range from HIS ISP
> > Yeah thats the Question, is it an Attack ore an misconfigured System
from us
>
> Well, if it's coming from HIS ADSL address range, then it's probably a
> spoof attack from a zombie on his network. Or, one of his systems has
> been compromised.
>
> >
> >
> > > > cat /proc/net/ip_conntrack
> > > >
> > > > tcp      6 426289 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > > sport=46228 dport=40493 [UNREPLIED] src=145.254.202.177
> > dst=217.82.41.184
> > > > sport=40493 dport=46228 use=1
> > > > tcp      6 426283 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > > sport=46228 dport=36172 [UNREPLIED] src=145.254.202.177
> > dst=217.82.41.184
> > > > sport=36172 dport=46228 use=1
> > > > tcp      6 426278 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > > sport=46228 dport=42050 [UNREPLIED] src=145.254.202.177
> > dst=217.82.41.184
> > > > sport=42050 dport=46228 use=1
> > >
> > > Yup. This confirms it. Looks like a M$ Win32 zombie to me, although
> > > why your friend's firewall isn't at least NATting it....... Hmmm......
> >
> > Yes. He use like me masquerading
> >
> > >Not your friend. Probably one of his systems. LISB, there may be a
> > > zombie somewhere behind his ADSL link. ITM, just do this:
> > >
> > > iptables -t mangle -A PREROUTING -s 145.254.202.177 -j DROP
> >
> > Yes but he has dynamic Ipīs
>
> Yuck. Well, then, I suggest you make the matter even clearer to him ;)
>
> >
> > > Then rag on your friend until he either smashes his systems or scans
> > > them for zombies ;)
> >
> > Ok but How he or me can do this ? especially with Windowzes ; -)
>
> IIRC, Norton AntiVirus will find Trojans. A free firewall like ZoneAlarm
> for Win32 systems, AFAIK, could also block Trojan attacks.
>
> >
> >
> > Greetz and Thanks
> >
> > Frank
> >
>
> Brad
>
>
> =====
> Brad Chapman
>
> Permanent e-mail: kakadu_croc@yahoo.com
> Current e-mail: kakadu@adelphia.net
> Alternate e-mail: kakadu@netscape.net
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
>