Author Topic: have an interesting situation here  (Read 1022 times)

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
have an interesting situation here
« on: October 28, 2017, 02:51:33 am »
hi guys ...hope you can add to my knowledge base here...checked my router activity and found the following

"SYN with Data from IP 210.44.14.14 port 51927 to IP 69.128.xxx.xxx port 1433 dr"...this has been found in the firewall section of my router firewall as being blocked 2 times now over the past 4 days...gufw is also active on all my systems as Public and Deny all incoming traffic...all computer systems here are running linux based computer systems LM 18.2 cinn. and peppermint 8, all updates applied, and both browsers are slimjet and opera with all up to date using StartPage as the search engine in both

when i traced the IP, i got the following

ISP   Shandong Normal University
Usage Type   University/College/School
Domain Name   sdnu.edu.cn
Country    China
City   Jinan, Shandong

this IP address is listed on the "Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed"

i am assuming that this is a port probe that has been blocked by the NAT firewall...there is no log in the gufw so i assume the NAT took care of this...why would the chinese be interested in me...DAMIEN
« Last Edit: October 28, 2017, 04:20:43 am by DAMIEN1307 »
ORDO AB CHAO

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: have an interesting situation here
« Reply #1 on: October 28, 2017, 03:36:09 am »
Opera is Chinese-owned so maybe it was "phoning home"?

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: have an interesting situation here
« Reply #2 on: October 28, 2017, 03:52:58 am »
They're not interested in you, it's simply an automated worm randomly scanning IP's looking for systems with an OPEN port 1433.
(as port 1433 is most commonly used for Microsoft SQL Server, the worm is probably looking for a webserver running Microsoft SQL server that accepts inbound connections)

I'd be willing to bet your routers NAT firewall is set to DROP (aka. Deny) inbound connections, so even though the connection attempt was logged your router didn't actually respond to the probe so is effectively invisible.

You can always test this at
https://www.grc.com/x/ne.dll?bh0bkyd2
and scan for the port 1433 .. to see whether it's stealthed.




On another note .. I'm guessing when you said

Quote
gufw is also active on all my systems as Public and Deny all outgoing traffic

You meant "Deny all incoming" ?

because Deny all outgoing would kick you off the net.
« Last Edit: October 28, 2017, 04:05:49 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: have an interesting situation here
« Reply #3 on: October 28, 2017, 03:54:41 am »
hi murray mint...that just couldnt be possible since that was an INCOMING port probe NOT an outgoing "phone home" picked up by the NAT router firewall NOT the internal linux gufw firewall which is set to "PUBLIC" and "DENY" all outgoing traffic which of course would preclude anything even trying to make an outgoing "phone home"...DAMIEN

......never mind lol the gufw is set to deny incoming - allow outgoing...i had it backwards as per usual...but the main point is the NAT stopped the incoming...edited...DAMIEN
« Last Edit: October 28, 2017, 04:13:23 am by DAMIEN1307 »
ORDO AB CHAO

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: have an interesting situation here
« Reply #4 on: October 28, 2017, 03:57:01 am »
i always use GRC shields up...in fact ive even met steve gibson in california before lol...hes brilliant just checked port 1433...as expect it is stealthed...i suspect that where it says at the end of the string "port 1433 dr" that the "dr" means dropped...by the way...last i knew wasnt it the "snake" worm that was in prevalent use for this particular Microsoft SQL Server probe attack? ...DAMIEN
« Last Edit: October 28, 2017, 04:14:48 am by DAMIEN1307 »
ORDO AB CHAO

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: have an interesting situation here
« Reply #5 on: October 28, 2017, 04:34:35 am »
hi murray mint...that just couldnt be possible since that was an INCOMING port probe
True, I was being slightly facetious because people have said they were worried about using a Chinese browser.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: have an interesting situation here
« Reply #6 on: October 28, 2017, 04:45:17 am »
Quote
wasnt it the "snake" worm that was in prevalent use for this particular Microsoft SQL Server probe attack?

No idea my mate ???
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: have an interesting situation here
« Reply #7 on: October 28, 2017, 04:47:09 am »
hi hurraymint...i kinda figured you were being facetious...that along with synycism  and sarcasm are 3 of my favourite types of humour lol...not too worried that the chinese bought it out though...their just a little too smart to allow stupidity and mistrust to get in the way of their profits on something like browser spying and misuse...i will leave that up to the "conspiracy theorists to have fun with lol...DAMIEN
ORDO AB CHAO

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: have an interesting situation here
« Reply #8 on: October 28, 2017, 04:53:45 am »
hey PC ...yea i seem to remember their was something called the "SQL SNAKE" that was used in these type of attacks that if successful, would allow the miscreant to take over administrative rights of an infected system through a penetration of port 1433 and its sister microsoft sql server port 1434 on non stealthed systems let alone even trying that on a linux based system...just another good reason to those who think running in root is just fine because its a single user system as i hear them say "dont nanny me i know what im doing" lol...DAMIEN
ORDO AB CHAO

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: have an interesting situation here
« Reply #9 on: October 28, 2017, 05:11:54 am »
hey PC...my only other thought i had on this subject is this...the 14 computers that were donated to me to give out to schools, kids etc were all dbaned first because they were previously military computers used at a sensitive installation...hence the reason for dban...do not know if its possible or not but since all of them have been on line here during their conversion to peppermint 8, do miscreants have a way to track them through mac address or whatever and maybe thats why im getting probed out of the blue here?...just a thought i had here before my one single thought died of loneliness here lol...DAMIEN
ORDO AB CHAO

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: have an interesting situation here
« Reply #10 on: October 28, 2017, 07:49:51 am »
I can't see how, the MAC address is removed from outbound packets at the router and substituted with the routers so i can't see how they'd know the IP of the router that specific PC's network adapter was connected to without software running locally that broadcast that info to the web (which you'd have killed if it ever existed with Dban) .. seriously i'd just consider it random.

https://askleo.com/can_a_mac_address_be_traced/
« Last Edit: October 28, 2017, 08:04:23 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec