Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Bored... so I'm staring at pflog outputs
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Bored... so I'm staring at pflog outputs

kbeeziekbeezie Member
edited November 2012 in General

Got around to tweaking my pf.conf (openbsd packet filter)... so just having fun checking out the tcpdumps on the pflog. These are blocks to my blog (kbeezie.com), guessing the ones blocked on port 80 are because either 1) they're spoofed IPs (no private addresses should be coming into em0) or 2) didn't want to keep a stated connection.

rule 5..16777216/0(match): block in on em0: 192.168.1.76.57674 > 198.15.125.186.80: Flags [F.], seq 489620656, ack 866004963, win 65340, length 0

rule 5..16777216/0(match): block in on em0: 192.168.1.76.57679 > 198.15.125.186.80: Flags [F.], seq 3577161372, ack 4009132777, win 64160, length 0
rule 5..16777216/0(match): block in on em0: 192.168.1.76.57678 > 198.15.125.186.80: Flags [F.], seq 3876337204, ack 905712944, win 65340, length 0
rule 5..16777216/0(match): block in on em0: 192.168.1.76.57674 > 198.15.125.186.80: Flags [F.], seq 0, ack 1, win 65340, length 0
.... times about 50 ...

rule 5..16777216/0(match): block in on em0: 109.163.226.162.80 > 198.15.125.186.1234: Flags [S.], seq 487012001, ack 1, win 8192, options [mss 1460], length 0

rule 5..16777216/0(match): block in on em0: 5.9.82.233.50163 > 198.15.125.186.80: Flags [F.], seq 1770610924, ack 3395270700, win 15544, length 0
rule 5..16777216/0(match): block in on em0: 10.0.1.232.2714 > 198.15.125.186.80: Flags [F.], seq 3232765696, ack 2695336703, win 65535, length 0
rule 5..16777216/0(match): block in on em0: 10.0.1.232.2709 > 198.15.125.186.80: Flags [F.], seq 643967895, ack 4225274177, win 64961, length 0
rule 5..16777216/0(match): block in on em0: 10.0.1.232.2706 > 198.15.125.186.80: Flags [F.], seq 2818177542, ack 2290535852, win 64970, length 0
rule 5..16777216/0(match): block in on em0: 10.0.1.232.2715 > 198.15.125.186.80: Flags [F.], seq 2733944645, ack 2242683525, win 64703, length 0
rule 5..16777216/0(match): block in on em0: 10.0.1.232.2709 > 198.15.125.186.80: Flags [F.], seq 0, ack 1, win 64961, length 0
... times like 100 ...

erm I don't even have 443/https listening on there

rule 5..16777216/0(match): block in on em0: 204.236.166.48.46111 > 198.15.125.186.443: Flags [S], seq 748651397, win 5840, options [mss 1460,sackOK,TS[|tcp]>
rule 5..16777216/0(match): block in on em0: 173.12.247.27.63866 > 198.15.125.186.5038: Flags [S], seq 3715381994, win 3072, options [mss 1460], length 0

not even running a mail server either so...

rule 5..16777216/0(match): block in on em0: 123.54.189.192.2602 > 198.15.125.186.25: Flags [S], seq 2170140007, win 65535, options [mss 1400,nop,nop,sackOK], length 0
rule 5..16777216/0(match): block in on em0: 5.9.82.233.55075 > 198.15.125.186.80: Flags [F.], seq 1808562582, ack 4101857880, win 15544, length 0

hello NetBIOS...

rule 5..16777216/0(match): block in on em0: 178.233.159.223.137 > 198.15.125.186.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
rule 5..16777216/0(match): block in on em0: 178.233.159.223.137 > 198.15.125.186.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
rule 5..16777216/0(match): block in on em0: 178.233.159.223.137 > 198.15.125.186.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14600, length 0

another private range...

rule 5..16777216/0(match): block in on em0: 192.168.0.1.55704 > 198.15.125.186.80: Flags [F.], seq 2709748824, ack 3666096797, win 14600, length 0
rule 5..16777216/0(match): block in on em0: 192.168.0.1.55704 > 198.15.125.186.80: Flags [F.], seq 0, ack 1, win 14600, length 0
rule 5..16777216/0(match): block in on em0: 192.168.0.1.55704 > 198.15.125.186.80: Flags [F.], seq 0, ack 1, win 14600, length 0

riiiight like I'm gona leave my VNC running on 5900...

rule 5..16777216/0(match): block in on em0: 175.99.91.117.25287 > 198.15.125.186.5900: Flags [S], seq 715623204, win 65535, options [mss 1380,nop,nop,nop,nop], length 0

Earlier today noticed there was quite a few attempts on the typical cpanel/whm and solusvm ports :D Wasn't expecting so many scans/attempts in just the last couple hours.

Comments

  • kbeeziekbeezie Member

    block in on em0: 173.242.123.157.5080 > 198.15.125.186.5060: SIP, length: 419

    SIP... isn't that VoIP related?

  • AsadAsad Member
    edited November 2012

    @kbeezie said: SIP... isn't that VoIP related?

    Yep, 5060 is the default port for SIP connections. Probably scanning for open SIP lines so they can connect and call out to premium numbers.

  • kbeeziekbeezie Member

    Meh... why does China get the good short IPs... 1.202.213.34 (another one scanning for SIP)

Sign In or Register to comment.