Using Firestarter and the Unix Shell to Monitor Malicious Traffic

Using Firestarter and a Shell to Monitor Malicious Traffic

May 15th, 2008 | by blank89 |

Now that you have your ubuntu router set up, what can you do with it? There are a few interesting things you will notice if you look at your events list long enough. You might notice a large number of incoming requests for a specific port. Let’s use one that I just found, port 60666 which turns out to be “basic hell”, a backdoor which effects just about every Windows version. What’s even worse, this backdoor has been around since 2002. From the traffic I get to just on my home ip address, you might assume that most computers on the internet have been hacked.

My firewall log, lots of bots trying to connect to me

Maybe you’re being port scanned, like this picture:

Someone port scanning my firewall

These signatures are really easy to detect. Generally when someone connects to several ports in sequential order really quickly they are port scanning you. One way to mask this is to scan over a longer period of time (pausing between scans) and randomizing your scan. It looks like either a McAfee employee has gone mad, or one of their boxes is rooted. Here is the whois of the ip that was port scanning me in that picture:

McAfee BRW-6257-MCAFEE (NET-xx-xx-xx-xxx-x)
xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx

You can find these kinds of connections at all times of day. What’s really fun is to set up an ssh server and watch you auth log grow.

I’m going to use a bit of automation, save the fire starter events to a file and look for ip addresses that have interesting whois data. The Linux console is uniquely suited to do this kind of work because of pipes. For instance, I’ll use this command to give me all lines of the firewall log where the other computer tried to connect to me on port 22:


cat logfile | grep SSH

Who on earth is trying to connect to my ssh port? The ip address 124.42.x.xx belongs to a university in China, 82.211.xx.xx is from Germany, 218.21.xxx.xxx is from China, and it looks like it has connected more than once. To see if has tried any other ports:


cat logfile | grep 218.21.xxx.xxx

And you get:


Time:May 13 04:24:08 Direction: Unknown In:eth0 Out: Port:22 Source:218.21.xxx.xxx Destination:204.111.xxx.xxx Length:60 TOS:0x00 Protocol:TCP Service:SSH
Time:May 13 09:13:30 Direction: Unknown In:eth0 Out: Port:22 Source:218.21.xxx.xxx Destination:204.111.xxx.xxx Length:60 TOS:0x00 Protocol:TCP Service:SSH
Time:May 13 11:56:31 Direction: Unknown In:eth0 Out: Port:22 Source:218.21.xxx.xxx  Destination:204.111.xxx.xxx Length:60 TOS:0x00 Protocol:TCP Service:SSH
Time:May 13 11:56:34 Direction: Unknown In:eth0 Out: Port:22 Source:218.21.xxx.xxx  Destination:204.111.xxx.xxx Length:60 TOS:0x00 Protocol:TCP Service:SSH

Remember that computer looking for a “basic hell” back door? Let’s see what it’s been up to over time, and if anyone else has been looking for this back door.


cat logfile | grep Port:60666

I took some of the results out, because this computer has been trying to connect to port 60666 at least twice an hour for the past two days. It seems to be a RoadRunner isp customer.


Time:May 14 08:57:25 Direction: Unknown In:eth0 Out: Port:60666 Source:75.179.xxx.xxx Destination:204.111.xxx.xxx Length:48 TOS:0x00 Protocol:TCP Service:Unknown
Time:May 14 16:06:13 Direction: Unknown In:eth0 Out: Port:60666 Source:75.179.xxx.xxx Destination:204.111.xxx.xxx Length:48 TOS:0x00 Protocol:TCP Service:Unknown
Time:May 14 16:07:17 Direction: Unknown In:eth0 Out: Port:60666 Source:75.179.xxx.xxx Destination:204.111.xxx.xxx Length:48 TOS:0x00 Protocol:TCP Service:Unknown
Time:May 14 21:41:27 Direction: Unknown In:eth0 Out: Port:60666 Source:75.179.xxx.xxx Destination:204.111.xxx.xxx Length:48 TOS:0x00 Protocol:TCP Service:Unknown

The point of this article is that there is a lot of malicious traffic out there. If you have a Linksys router that hides this information from you, then you don’t know whether one of the computers on your network has been rooted. Learning how these things work will prevent you from becoming an ip address in a lot of firewall logs.