# Possible attack?



## Ricky (Jul 19, 2012)

Hi, 
Since this morning my IPFW has been like crazy.

Last night I added a few new rules that seems pretty cool and since then I'm getting a lot of connections closed, etc.

Here is my /var/log/security

```
Jul 19 14:02:53 o062 kernel: ipfw: 15 Accept TCP 79.143.176.199:57286 85.114.130.62:445 in via re0
Jul 19 14:03:36 o062 kernel: ipfw: 15 Accept TCP 85.114.164.34:42409 85.114.130.62:23 in via re0
Jul 19 14:03:43 o062 kernel: ipfw: 15 Accept TCP 186.111.4.244:51435 85.114.130.62:445 in via re0
Jul 19 14:03:46 o062 kernel: ipfw: 15 Accept TCP 186.111.4.244:51435 85.114.130.62:445 in via re0
Jul 19 14:06:52 o062 kernel: ipfw: 15 Accept TCP 85.114.164.34:59332 85.114.130.62:23 in via re0
Jul 19 14:08:32 o062 kernel: ipfw: 15 Accept TCP 85.114.181.196:37062 85.114.130.62:23 in via re0
Jul 19 14:10:17 o062 kernel: ipfw: 15 Accept TCP 85.114.181.196:51922 85.114.130.62:23 in via re0
Jul 19 14:11:29 o062 kernel: ipfw: 15 Accept TCP 79.143.176.199:59721 85.114.130.62:445 in via re0
Jul 19 14:12:40 o062 kernel: ipfw: 15 Accept TCP 118.120.9.10:33626 85.114.130.62:1080 in via re0
Jul 19 14:12:43 o062 kernel: ipfw: 15 Accept TCP 118.120.9.10:33626 85.114.130.62:1080 in via re0
Jul 19 14:14:00 o062 kernel: ipfw: 15 Accept TCP 86.106.82.15:4315 85.114.130.62:445 in via re0
Jul 19 14:14:03 o062 kernel: ipfw: 15 Accept TCP 86.106.82.15:4315 85.114.130.62:445 in via re0
Jul 19 14:19:30 o062 kernel: ipfw: 15 Accept TCP 79.143.176.199:52155 85.114.130.62:445 in via re0
Jul 19 14:19:41 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62505 85.114.130.62:80 in via re0
Jul 19 14:19:41 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62506 85.114.130.62:80 in via re0
Jul 19 14:19:41 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62507 85.114.130.62:80 in via re0
Jul 19 14:19:44 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62505 85.114.130.62:80 in via re0
Jul 19 14:19:44 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62506 85.114.130.62:80 in via re0
Jul 19 14:19:44 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62507 85.114.130.62:80 in via re0
Jul 19 14:19:50 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62513 85.114.130.62:80 in via re0
Jul 19 14:19:50 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62512 85.114.130.62:80 in via re0
Jul 19 14:19:50 o062 kernel: ipfw: 15 Accept TCP 188.83.235.212:62514 85.114.130.62:80 in via re0
Jul 19 14:25:07 o062 kernel: ipfw: 15 Accept TCP 61.51.140.221:52238 85.114.130.62:3389 in via re0
Jul 19 14:26:19 o062 kernel: ipfw: 15 Accept TCP 186.49.46.195:2885 85.114.130.62:445 in via re0
Jul 19 14:27:34 o062 kernel: ipfw: 15 Accept TCP 79.143.176.199:54590 85.114.130.62:445 in via re0
Jul 19 14:35:44 o062 kernel: ipfw: 15 Deny TCP 79.143.176.199:57025 85.114.130.62:445 in via re0
Jul 19 14:36:14 o062 kernel: ipfw: 15 Deny TCP 61.164.150.81:6000 85.114.130.62:1433 in via re0
Jul 19 14:40:46 o062 kernel: ipfw: 15 Deny TCP 87.97.240.150:2355 85.114.130.62:445 in via re0
Jul 19 14:40:49 o062 kernel: ipfw: 15 Deny TCP 87.97.240.150:2355 85.114.130.62:445 in via re0
Jul 19 14:43:16 o062 kernel: ipfw: 15 Deny TCP 79.143.176.199:59460 85.114.130.62:445 in via re0
Jul 19 14:51:19 o062 kernel: ipfw: 15 Deny TCP 58.218.199.250:12200 85.114.130.62:8090 in via re0
Jul 19 14:51:19 o062 kernel: ipfw: limit 5 reached on entry 15
```

As you can see I changed the rule that was allowing TCP at 14:27

Here is my /var/log/messages

```
Jul 19 14:00:00 o062 kernel: TCP: [127.0.0.1]:44051 to [127.0.0.1]:113 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:00:00 o062 kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:28335
Jul 19 14:02:53 o062 kernel: TCP: [79.143.176.199]:57286 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:03:36 o062 kernel: TCP: [85.114.164.34]:42409 to [85.114.130.62]:23 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:03:43 o062 kernel: TCP: [186.111.4.244]:51435 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:03:46 o062 kernel: TCP: [186.111.4.244]:51435 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:06:52 o062 kernel: TCP: [85.114.164.34]:59332 to [85.114.130.62]:23 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:08:32 o062 kernel: TCP: [85.114.181.196]:37062 to [85.114.130.62]:23 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:10:17 o062 kernel: TCP: [85.114.181.196]:51922 to [85.114.130.62]:23 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:11:29 o062 kernel: TCP: [79.143.176.199]:59721 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:12:40 o062 kernel: TCP: [118.120.9.10]:33626 to [85.114.130.62]:1080 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:12:43 o062 kernel: TCP: [118.120.9.10]:33626 to [85.114.130.62]:1080 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:14:00 o062 kernel: TCP: [86.106.82.15]:4315 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:14:03 o062 kernel: TCP: [86.106.82.15]:4315 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:30 o062 kernel: TCP: [79.143.176.199]:52155 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:41 o062 kernel: TCP: [188.83.235.212]:62505 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:41 o062 kernel: TCP: [188.83.235.212]:62506 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:41 o062 kernel: TCP: [188.83.235.212]:62507 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:44 o062 kernel: TCP: [188.83.235.212]:62505 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:44 o062 kernel: TCP: [188.83.235.212]:62506 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:44 o062 kernel: TCP: [188.83.235.212]:62507 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:50 o062 kernel: TCP: [188.83.235.212]:62513 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:50 o062 kernel: TCP: [188.83.235.212]:62512 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:19:50 o062 kernel: TCP: [188.83.235.212]:62514 to [85.114.130.62]:80 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:25:07 o062 kernel: TCP: [61.51.140.221]:52238 to [85.114.130.62]:3389 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:26:19 o062 kernel: TCP: [186.49.46.195]:2885 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:27:34 o062 kernel: TCP: [79.143.176.199]:54590 to [85.114.130.62]:445 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
Jul 19 14:51:19 o062 kernel: ipfw: limit 5 reached on entry 15
```

I would like to ask to someone more experienced, are they trying to brute force or something like that?

My rules are great(I guess) because it doesn't allow anyone to connect to SSH, etc except me. Although I also changed the number of ports.

As you can see I'm receiving a lot of connections attempts to port 445. I searched for a while on google and found out that it is used by Samba. Which I don't really know much about.

Please tell me what do you think.

Thank you.


----------



## SirDice (Jul 19, 2012)

Getting scanned is, unfortunately, just part of being online. You might want to review your rules though. Start by blocking _everything_ incoming and only open what you really need.


----------



## Ricky (Jul 19, 2012)

I found an very interesting line...

```
Jul 19 19:35:22 o062 kernel: ipfw: 14 Deny ICMP:8.0 195.5.50.142 85.114.130.62 in via re0
```

Is it possible that they are already inside the network?


----------



## kpa (Jul 19, 2012)

ICMP type 8 is echo request aka standard ping(8). From the looks of it your firewall denied the packet, where is the problem?


----------



## SirDice (Jul 20, 2012)

Yep, just a regular ping from someone on the internet. 

I'm more concerned about lines like these:

```
Jul 19 14:02:53 o062 kernel: ipfw: 15 Accept TCP 79.143.176.199:57286 85.114.130.62:445 in via re0
Jul 19 14:03:36 o062 kernel: ipfw: 15 Accept TCP 85.114.164.34:42409 85.114.130.62:23 in via re0
```

As they show your firewall is accepting connections to port 445 and 23. Not really what you want. They should be blocked.


----------



## Ricky (Jul 20, 2012)

Never mind about the 195.5.50.142
I tough it was starting with 192.XXX.XXX.XXX lol. My bad

@SirDice. I already changed that rule and they are all being blocked. I also decide to stop logging that rule because it is filling my security file really bad

I just have one question. How check-state exatly behaves? I've been reading a lot on the internet but still not very sure what are dynamic rules, etc. I know after that one, if any matched rule is found the search ends.

But what if I have some rules before it? Even if the connection match to one of those rules it just keep searching?


----------

