Computer Hope
Software => BSD, Linux, and Unix => Topic started by: 151rby on October 26, 2012, 12:29:38 PM
-
I have a System76 Pangolin Performance (Panp8), and I'm running Ubuntu 11.04, 64-bit.
My computer has apparently been the target of incoming TCP-FIN scans, and also did at least one outbound scan. My network administrator banned my computer from the wifi network because of it. He says my computer's the only one on the network exhibiting the behavior. I really want to figure out the cause, but I have a huge amount of homework right now, and at this very moment the most important thing is for me to just prevent it from happening because I need the internet to do my homework. I have Uncomplicated Firewall, but I don't really know how it works; is there a way that I can use it to block or prevent such scans? Is there something I can do with my system or network settings to make it stop? I will be extremely grateful for any help!
Now, if you know a way I can just make the scans stop regardless of their cause, then please feel free to answer without bothering to read the rest of this post. But maybe more details are necessary, so here is the firewall log report the admin sent me:
10/25/2012 10:41:11 **TCP FIN Scan** 74.114.28.200, 80->> 192.168.2.37, 59562 (from WAN Inbound) Meebo
10/25/2012 10:41:11 **TCP FIN Scan** 207.200.81.7, 80->> 192.168.2.37, 40283 (from WAN Inbound) Netscape Communications Corp
10/25/2012 10:41:11 **TCP FIN Scan** 74.125.225.69, 80->> 192.168.2.37, 51341 (from WAN Inbound) Google
10/25/2012 10:41:11 **TCP FIN Scan** 174.132.95.10, 80->> 192.168.2.37, 46657 (from WAN Inbound) Theplanet.com internet services
10/25/2012 10:41:11 **TCP FIN Scan** 64.236.85.82, 80->> 192.168.2.37, 41429 (from WAN Inbound) AOL transit data network
10/25/2012 10:41:11 **TCP FIN Scan** 23.21.54.230, 80->> 192.168.2.37, 40730 (from WAN Inbound) Amazon
10/25/2012 10:41:11 **TCP FIN Scan** 67.132.183.64, 80->> 192.168.2.37, 57262 (from WAN Inbound) Akamai technologies
10/25/2012 10:41:11 **TCP FIN Scan** 199.117.103.72, 80->> 192.168.2.37, 39606 (from WAN Inbound) Akamai technologies
10/25/2012 10:36:21 **TCP FIN Scan** 208.81.191.110, 80->> 192.168.2.37, 54965 (from WAN Inbound) Meebo
10/25/2012 10:36:21 **TCP FIN Scan** 74.125.225.176, 80->> 192.168.2.37, 35835 (from WAN Inbound) Google
10/25/2012 10:36:21 **TCP FIN Scan** 74.125.225.89, 80->> 192.168.2.37, 41008 (from WAN Inbound) Google
10/25/2012 10:36:21 **TCP FIN Scan** 54.243.110.233, 80->> 192.168.2.37, 39518 (from WAN Inbound) Amazon.com
10/25/2012 10:36:21 **TCP FIN Scan** 199.38.164.155, 80->> 192.168.2.37, 34961 (from WAN Inbound) X Plus One
10/25/2012 10:36:21 **TCP FIN Scan** 208.81.191.113, 80->> 192.168.2.37, 51972 (from WAN Inbound) Meebo
10/25/2012 10:21:41 **TCP FIN Scan** 208.81.191.110, 80->> 192.168.2.37, 54295 (from WAN Inbound) Meebo
10/25/2012 10:21:41 **TCP FIN Scan** 69.171.234.21, 80->> 192.168.2.37, 44825 (from WAN Inbound) Facebook (I don't even have a Facebook account)
10/25/2012 10:21:41 **TCP FIN Scan** 67.132.183.9, 80->> 192.168.2.37, 35936 (from WAN Inbound) Akamai Technologies
10/25/2012 10:21:41 **TCP FIN Scan** 167.8.226.13, 80->> 192.168.2.37, 38467 (from WAN Inbound) Gannett Co Inc
10/25/2012 10:21:41 **TCP FIN Scan** 168.143.84.74, 80->> 192.168.2.37, 44154 (from WAN Inbound) NTT America Inc
10/25/2012 10:21:41 **TCP FIN Scan** 64.236.85.88, 80->> 192.168.2.37, 48464 (from WAN Inbound) AOL Transit Data Network
10/25/2012 10:21:41 **TCP FIN Scan** 75.98.35.20, 80->> 192.168.2.37, 44010 (from WAN Inbound) Legolas Media
10/25/2012 10:21:41 **TCP FIN Scan** 174.132.95.10, 80->> 192.168.2.37, 45758 (from WAN Inbound) Theplanet.com
10/25/2012 10:21:41 **TCP FIN Scan** 54.243.166.54, 80->> 192.168.2.37, 59490 (from WAN Inbound) Amazon.com
10/25/2012 10:21:41 **TCP FIN Scan** 69.172.216.55, 80->> 192.168.2.37, 45381 (from WAN Inbound) Saferoute Incorporated
10/25/2012 10:21:41 **TCP FIN Scan** 74.125.225.89, 80->> 192.168.2.37, 40278 (from WAN Inbound) Google
10/25/2012 10:21:41 **TCP FIN Scan** 64.94.107.18, 80->> 192.168.2.37, 40790 (from WAN Inbound) Intermap Network Services Corporation
10/25/2012 10:21:41 **TCP FIN Scan** 50.16.195.154, 80->> 192.168.2.37, 36605 (from WAN Inbound) Amazon
10/25/2012 10:21:41 **TCP FIN Scan** 74.125.225.90, 80->> 192.168.2.37, 47767 (from WAN Inbound) Google
10/25/2012 10:21:41 **TCP FIN Scan** 67.132.183.42, 80->> 192.168.2.37, 58683 (from WAN Inbound) Akamai Technologies
10/25/2012 10:21:41 **TCP FIN Scan** 205.217.176.11, 80->> 192.168.2.37, 57381 (from WAN Inbound) Savvis
10/25/2012 10:21:41 **TCP FIN Scan** 208.71.123.131, 80->> 192.168.2.37, 57039 (from WAN Inbound) 24/7 Real Media
10/25/2012 10:21:41 **TCP FIN Scan** 67.132.183.65, 80->> 192.168.2.37, 50760 (from WAN Inbound) Akamai Technologies
10/25/2012 10:21:41 **TCP FIN Scan** 67.132.30.137, 80->> 192.168.2.37, 46285 (from WAN Inbound) Qwest Communications
10/25/2012 10:09:12 **TCP FIN Scan** 192.168.2.37, 52621->> 107.22.232.230, 80 (from WAN Outbound)Amazon
The right-hand column (Google, Meebo, etc) was added by me after I did a bunch of lookups on whois.domaintools.com. I am so confused. Why in the world am I being TCP FIN scanned from IPs owned by Google and Amazon and Meebo and various media companies? At the time it happened, I do actually think I was on a website where I was logged into Meebo and the chat bar was open; could these actually be "legitimate" harmless scans performed as part of Meebo's chat service? Another thing I noticed was that all of the scans came from a port 80, and when my computer did an outbound scan, the scan was sent to a port 80. This makes me wonder if it's just being done by one person who is spoofing various IPs, because what are the chances all those different computers would be using the same port to scan me/get scanned by me? Or, could someone be spoofing my IP and MAC addresses on the network, and if so how could I find out?
Also, I would like to know, is there a log on my computer that I can check which will tell of any such scans that have recently occurred?
I ran chkrootkit and rkhunter, and neither detected any rootkits, but chkrootkit said:
The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk.jinfo /usr/lib/pymodules/python2.7/.path /usr/lib/firefox-addons/extensions/[email protected]/chrome/.mkdir.done
And rkhunter gave "warnings" for the following:
/usr/bin/mail
/usr/bin/bsd-mailx
Rkhunter also said that "Checking if syslog remote logging is allowed" was "Not Allowed". I have no idea whether any of this is relevant to my problem. Yes, go ahead and laugh at my ignorance.
I had a similar problem with TCP FIN scans back in May, and I started a thread about it back then. I never figured out what was causing it, but it eventually got resolved in that it stopped happening after my computer got messed up and I had to install a new copy of Ubuntu (and chose to "downgrade" to 11.04). However, I figured this warranted a new thread because the problem went away for so long, I'm using an entirely different version and copy of the operating system, and now I'm getting incoming scans whereas before my computer was just doing outbound ones.
-
You asked a very similar question to this on the Ubuntu forums on 5 May 2012.
Do you use a Cloud service (data backups? cloud music player for android or the computer)? Maybe you've got a kindle that you've synced on this computer? Are you using Windows apps under Wine and/or a VM?
-
You asked a very similar question to this on the Ubuntu forums on 5 May 2012.
Yes. I never really figured it out but it stopped happening, but now I'm having a similar problem. Also, I included a lot of useless information in that question that made it a real pain to read (you may notice nobody on Ubuntu forums offered answers), and now I have asked it in a much more sensible and coherent fashion. However, the problem now is a bit different in that now my computer is also apparently doing outbound scans.
Do you use a Cloud service (data backups? cloud music player for android or the computer)? Maybe you've got a kindle that you've synced on this computer? Are you using Windows apps under Wine and/or a VM?
A couple weeks ago, I used thinkfree.com and Microsoft Skydrive to make some edits to a .odt file that I needed to put into .doc format, because some of the formatting wouldn't save in .doc format when I used LibreOffice Writer. But I haven't used them at all since then, and these scans happened just yesterday. I have Wine installed and I have used it for a few Windows programs in the past, but I haven't recently. I don't have a Kindle and I'm not using a virtual machine.
-
It just occurred to me that perhaps I should have put this thread in the "networking" category. Is there a way for me to move it?
-
We shouldn't rule out that it could be the software on the computer. And for all we know, this should go under malware, and it is an interesting problem.
I wish i knew more into this aspect, but i would not know why someone spoofing an IP address would only target you, and not a range of IP's on the network.
Well, that's just my bad 2 cents.