2008-05-25

用xinetd來惡搞那些亂連的傢伙

這幾天拿iptables記錄了一下掛上實體IP後受到的連線嘗試紀錄,發現絕大多數都是嘗試來連 1433/135/139/445 這幾個port,會來嘗試連這幾個port的應該都不是啥好東西,

剛好這兩天吃飽撐著了,就用xinetd來惡搞一下,讓他連上後我這邊送出垃圾回應給他,並紀錄下來源IP跟時間.

在xinetd的服務設定內建立一個假的service 我就叫他 fake-ms了
/etc/xinetd.d/fake-ms
內容
service ms-sql-s
#1433
{
disable = no
socket_type = stream
log_type = FILE /var/log/fake-ms.log
log_on_success = PID HOST DURATION EXIT
wait = no
user = nobody
protocol = tcp
server = /usr/bin/yes
server_args = FUCKYOUASSHOLE
}

service loc-srv
#135
{
disable = no
socket_type = stream
log_type = FILE /var/log/fake-ms.log
log_on_success = PID HOST DURATION EXIT
wait = no
user = nobody
protocol = tcp
server = /usr/bin/yes
server_args = FUCKYOUASSHOLE
}

service netbios-ssn
#139
{
disable = no
socket_type = stream
log_type = FILE /var/log/fake-ms.log
log_on_success = PID HOST DURATION EXIT
wait = no
user = nobody
protocol = tcp
server = /usr/bin/yes
server_args = FUCKYOUASSHOLE
}

service microsoft-ds
#445
{
disable = no
socket_type = stream
log_type = FILE /var/log/fake-ms.log
log_on_success = PID HOST DURATION EXIT
wait = no
user = nobody
protocol = tcp
server = /usr/bin/yes
server_args = FUCKYOUASSHOLE
}

再把xinetd restart起來,這樣只要有人要連135/139/445/1433,
xinetd就會狂送 FUCKYOUASSHOLE 字串回去,
當然對對方來說是沒啥影響啦,就當阿Q式的出口惡氣唄.


然後會在 /var/log/fake-ms.log裡面紀錄下哪些IP來連這些port
比較誇張的是連SQL SERVER 1433的紀錄,會來連的肯定不是好東西,而且一來就是一堆..
08/5/24@23:10:00: START: ms-sql-s pid=3230 from=218.60.128.117
08/5/24@23:10:00: EXIT: ms-sql-s signal=13 pid=3230
08/5/24@23:10:00: START: ms-sql-s pid=3231 from=218.60.128.117
08/5/24@23:10:01: EXIT: ms-sql-s signal=13 pid=3231
08/5/24@23:10:01: START: ms-sql-s pid=3232 from=218.60.128.117
08/5/24@23:10:01: EXIT: ms-sql-s signal=13 pid=3232
08/5/24@23:10:01: START: ms-sql-s pid=3233 from=218.60.128.117
08/5/24@23:10:01: EXIT: ms-sql-s signal=13 pid=3233
08/5/24@23:10:01: START: ms-sql-s pid=3234 from=218.60.128.117
08/5/24@23:10:01: EXIT: ms-sql-s signal=13 pid=3234
08/5/24@23:10:01: START: ms-sql-s pid=3235 from=218.60.128.117
08/5/24@23:10:02: EXIT: ms-sql-s signal=13 pid=3235
08/5/24@23:10:02: START: ms-sql-s pid=3236 from=218.60.128.117
08/5/24@23:10:02: EXIT: ms-sql-s signal=13 pid=3236
==其他的就還好些了==

08/5/25@15:59:54: START: loc-srv pid=2500 from=59.125.157.59
08/5/25@15:59:56: EXIT: loc-srv signal=13 pid=2500
08/5/25@16:06:26: START: microsoft-ds pid=2574 from=59.125.181.55
08/5/25@16:06:31: EXIT: microsoft-ds signal=13 pid=2574
08/5/25@16:06:39: START: loc-srv pid=2576 from=59.124.75.236
08/5/25@16:06:43: EXIT: loc-srv signal=13 pid=2576
08/5/25@16:10:28: START: microsoft-ds pid=2616 from=59.125.181.55
08/5/25@16:10:31: EXIT: microsoft-ds signal=13 pid=2616 duration=3(sec)
08/5/25@16:12:29: START: loc-srv pid=2629 from=59.125.157.59
08/5/25@16:12:31: EXIT: loc-srv signal=13 pid=2629 duration=2(sec)
08/5/25@16:22:56: START: netbios-ssn pid=2713 from=59.125.195.102
08/5/25@16:22:57: START: netbios-ssn pid=2714 from=59.125.195.102
08/5/25@16:22:57: EXIT: netbios-ssn signal=13 pid=2713 duration=1(sec)
08/5/25@16:22:57: EXIT: netbios-ssn signal=13 pid=2714 duration=0(sec)
08/5/25@16:22:58: START: netbios-ssn pid=2715 from=59.125.195.102
08/5/25@16:22:58: EXIT: netbios-ssn signal=13 pid=2715 duration=0(sec)
08/5/25@16:24:10: START: loc-srv pid=2716 from=59.125.157.59
08/5/25@16:24:12: EXIT: loc-srv signal=13 pid=2716 duration=2(sec)
08/5/25@16:28:11: START: loc-srv pid=2717 from=59.125.80.130
08/5/25@16:28:11: EXIT: loc-srv signal=13 pid=2717 duration=0(sec)


量還真不少..也不知道那些機器是中標了還是怎麼了
想想我也真是吃飽撐著了..:P

沒有留言: