Port scanning concern

Tony Arnold tony.arnold at manchester.ac.uk
Sun Nov 25 16:35:52 UTC 2012 

Jason,

I presume the DST=local_ip shows as a real local IP address behind your
router (e.g., 192.168.1.27)? And that you do not have any port
forwarding on your router thaty could be relevant?

It looks to me like return traffic from outgoing connections to
88.191.127.22. The outgoing connection would be http so it would connect
on port 80/tcp. Return traffic would have a source port (SPT) of 80 and
a random high number destination port (DST).

UFW should allow such return traffic if it's set up iptables correctly.

Do these log entries correspond to a time of day when your system may be
looking for updates?

Regards,
Tony.

On 25/11/12 15:31, Jason P. wrote:
> Hi folks.
> 
> These days I've been noticing port scanning attempts in my UFW log that
> I can barely understand.
> 
> First, I'm behind the router's firewall and this is supposed to protect
> me from the outside.
> 
> Second and more strange is that the attacker's ip is Medibuntu's repo one.
> 
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45681 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45682 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45683 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45684 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45685 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45686 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45687 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45688 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45689 WINDOW=0 RES=0x00 RST URGP=0
> 
> [UFW BLOCK] SRC=88.191.127.22 DST=local_ip LEN=40 TOS=0x00 PREC=0x00
> TTL=51 ID=0 DF PROTO=TCP SPT=80 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0
> 
> 
> I don't want to seem paranoid, but although I'm not 100% sure, I believe
> some time ago I installed an unsigned package from there. I'd appreciate
> your help so I could sleep better hehe.
> 
> 
> Thanks to all!
> 

-- 
Tony Arnold,                        Tel: +44 (0) 161 275 6093
Head of IT Security,                Fax: +44 (0) 705 344 3082
University of Manchester,           Mob: +44 (0) 773 330 0039
Manchester M13 9PL.                 Email: tony.arnold at manchester.ac.uk

More information about the ubuntu-users mailing list