• What is it?

    From ⌡┬╔╘╪ ╙╨┴═┼╥┴@110:300/1.1 to All on Wed Apr 18 08:05:54 2012
    Why they scan strange DPTs?

    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.81 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=48176 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.134 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=55333 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.81 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=48176 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.134 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=55333 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.14.96 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=52515 WINDOW=5792 RES=0x00 ACK SYN URGP=0
    SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=42882 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.170 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=37631 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.159 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=55127 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.178 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=32999 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.156 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=58409 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0
    SRC=65.49.68.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=0 DF PROTO=TCP SPT=80 DPT=46204 WINDOW=0 RES=0x00 ACK RST URGP=0

    --
    Origin: : , - . - .

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: 9432 (110:300/1.1@linuxnet)
  • From Chris Davies@110:300/1.1 to All on Thu Apr 19 09:58:22 2012
    Reply-To: chris@roaima.co.uk

    "õÂÉÔØ ÓÐÁÅÒÁ" <dev@null.id> wrote:
    Why they scan strange DPTs?
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF
    PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0

    These look like web requests from DST to SRC. Either your iptables
    logging has SRC and DST the wrong way round or else something's trying
    to creep through a naive packet filter. I'd be inclined to go with the
    former suggestion.

    Chris

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Roaima. Harrogate, North Yorkshire, UK (110:300/1.1@linuxnet)
  • From ⌡┬╔╘╪ ╙╨┴═┼╥┴@110:300/1.1 to Chris Davies on Fri Apr 20 11:39:52 2012
    ., 19 . 2012 10:58:22 Chris Davies :
    "????? ???????" <dev@null.id> wrote:
    Why they scan strange DPTs?
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0

    These look like web requests from DST to SRC. Either your iptables
    logging has SRC and DST the wrong way round or else something's trying
    to creep through a naive packet filter. I'd be inclined to go with the
    former suggestion.

    Too many hosts from one network listen 80 port. It is not strange? Local processes should not ask remote side to establish connection. So, why remote side may trying to do that very often? Also they trying connect on ports in 30??? range - it is not dynamical range and nobody listen 30??? here.

    --
    Origin: - , , , ֣, . - .

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: 1879 (110:300/1.1@linuxnet)
  • From Chris Davies@110:300/1.1 to All on Fri Apr 20 17:52:10 2012
    Reply-To: chris@roaima.co.uk

    "õÂÉÔØ ÓÐÁÅÒÁ" <dev@null.id> wrote:
    Чт., 19 апр. 2012 10:58:22 числа Chris Davies написал:
    "????? ???????" <dev@null.id> wrote:
    Why they scan strange DPTs?
    SRC=65.49.14.73 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=80 DPT=51294 WINDOW=5792 RES=0x00 ACK SYN URGP=0

    These look like web requests from DST to SRC. Either your iptables
    logging has SRC and DST the wrong way round or else something's trying
    to creep through a naive packet filter. I'd be inclined to go with the
    former suggestion.

    Too many hosts from one network listen 80 port. It is not strange?

    No. Read what I said again. These are almost certainly mis-logged
    requests from YOUR system to web servers running on the remote systems
    such as 65.49.14.73.

    Chris

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: Roaima. Harrogate, North Yorkshire, UK (110:300/1.1@linuxnet)