What is it?

Убить спамера

unread,

Apr 18, 2012, 2:05:54 AM4/18/12

to

Why they scan strange DPTs?

SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.81 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=48176 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.134 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=55333 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.81 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=48176 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.134 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=55333 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0

--
Origin: У каждого философа две философии: одна обращена вовне, другая - для
себя. - Д. Толанд

Chris Davies

unread,

Apr 19, 2012, 3:58:22 AM4/19/12

to

"õÂÉÔØ ÓÐÁÍÅÒÁ" <d...@null.id> wrote:
> Why they scan strange DPTs?
> SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0

These look like web requests from DST to SRC. Either your iptables
logging has SRC and DST the wrong way round or else something's trying
to creep through a naive packet filter. I'd be inclined to go with the
former suggestion.

Chris

Убить спамера

unread,

Apr 20, 2012, 5:39:52 AM4/20/12

to

Чт., 19 апр. 2012 10:58:22 числа Chris Davies написал:

Too many hosts from one network listen 80 port. It is not strange? Local
processes should not ask remote side to establish connection. So, why remote
side may trying to do that very often? Also they trying connect on ports in
30??? range - it is not dynamical range and nobody listen 30??? here.

--
Origin: Политика - театр, молчит в нем хор, Кулисы труппа меряет шагами, Пока
не даст отмашку дирижёр, Едва заметный в оркестровой яме. - Э. Севрус

Chris Davies

unread,

Apr 20, 2012, 11:52:10 AM4/20/12

to

"õÂÉÔØ ÓÐÁÍÅÒÁ" <d...@null.id> wrote:
> Чт., 19 апр. 2012 10:58:22 числа Chris Davies написал:
>> "????? ???????" <d...@null.id> wrote:
>>> Why they scan strange DPTs?
>>> SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
>>
>> These look like web requests from DST to SRC. Either your iptables
>> logging has SRC and DST the wrong way round or else something's trying
>> to creep through a naive packet filter. I'd be inclined to go with the
>> former suggestion.

> Too many hosts from one network listen 80 port. It is not strange?

No. Read what I said again. These are almost certainly mis-logged
requests from YOUR system to web servers running on the remote systems
such as 65.49.14.73.

Chris