我收到一封来自 logcheck 的电子邮件,其中包含多次尝试连接 UDP 端口 60059。
This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
System Events
=-=-=-=-=-=-=
Jul 29 04:42:02 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=58250 DPT=60059 LEN=151
Jul 29 04:42:03 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=58058 DPT=60059 LEN=151
Jul 29 04:42:06 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=65.75.216.14 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=119 ID=7012 PROTO=UDP SPT=1031 DPT=60059 LEN=172
Jul 29 04:42:12 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=93.193.28.53 DST=my.ip.add.ress LEN=201 TOS=0x00 PREC=0x00 TTL=110 ID=25276 PROTO=UDP SPT=62765 DPT=60059 LEN=181
Jul 29 04:42:15 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=2499 DPT=60059 LEN=151
Jul 29 04:42:15 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=87.118.106.136 DST=my.ip.add.ress LEN=218 TOS=0x00 PREC=0x00 TTL=119 ID=21989 PROTO=UDP SPT=16699 DPT=60059 LEN=198
Jul 29 04:42:18 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=64.25.177.219 DST=my.ip.add.ress LEN=151 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=55535 DPT=60059 LEN=131
Jul 29 04:42:19 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=141 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=4183 DPT=60059 LEN=121
Jul 29 04:42:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=180.28.163.114 DST=my.ip.add.ress LEN=103 TOS=0x00 PREC=0x00 TTL=111 ID=2050 PROTO=UDP SPT=1419 DPT=60059 LEN=83
Jul 29 04:42:32 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=87.10.109.97 DST=my.ip.add.ress LEN=144 TOS=0x00 PREC=0x00 TTL=112 ID=45314 PROTO=UDP SPT=61715 DPT=60059 LEN=124
Jul 29 04:42:32 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=96.237.240.66 DST=my.ip.add.ress LEN=111 TOS=0x00 PREC=0x00 TTL=112 ID=11398 PROTO=UDP SPT=3670 DPT=60059 LEN=91
Jul 29 04:42:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=67.0.76.62 DST=my.ip.add.ress LEN=97 TOS=0x00 PREC=0x00 TTL=118 ID=27883 PROTO=UDP SPT=6257 DPT=60059 LEN=77
Jul 29 04:42:37 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=46.163.65.86 DST=my.ip.add.ress LEN=199 TOS=0x00 PREC=0x00 TTL=117 ID=31816 PROTO=UDP SPT=61319 DPT=60059 LEN=179
Jul 29 04:42:38 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=95.97.106.138 DST=my.ip.add.ress LEN=211 TOS=0x00 PREC=0x00 TTL=116 ID=33070 PROTO=UDP SPT=3194 DPT=60059 LEN=191
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=200 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=48604 DPT=60059 LEN=180
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=30457 DPT=60059 LEN=172
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=50706 DPT=60059 LEN=172
Jul 29 04:42:42 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=84.19.190.64 DST=my.ip.add.ress LEN=139 TOS=0x00 PREC=0x00 TTL=56 ID=825 PROTO=UDP SPT=50758 DPT=60059 LEN=119
Jul 29 04:42:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=80.90.43.30 DST=my.ip.add.ress LEN=182 TOS=0x00 PREC=0x00 TTL=116 ID=30710 PROTO=UDP SPT=49846 DPT=60059 LEN=162
Jul 29 04:42:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=80.90.43.30 DST=my.ip.add.ress LEN=186 TOS=0x00 PREC=0x00 TTL=116 ID=30724 PROTO=UDP SPT=49856 DPT=60059 LEN=166
Jul 29 04:42:58 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=84.19.176.44 DST=my.ip.add.ress LEN=173 TOS=0x00 PREC=0x00 TTL=119 ID=12730 PROTO=UDP SPT=57695 DPT=60059 LEN=153
Jul 29 04:43:01 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=87.118.126.158 DST=my.ip.add.ress LEN=191 TOS=0x00 PREC=0x00 TTL=120 ID=30862 PROTO=UDP SPT=4822 DPT=60059 LEN=171
Jul 29 04:43:03 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=83.169.12.172 DST=my.ip.add.ress LEN=197 TOS=0x00 PREC=0x00 TTL=117 ID=29081 PROTO=UDP SPT=1641 DPT=60059 LEN=177
Jul 29 04:43:14 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=74.77.32.249 DST=my.ip.add.ress LEN=167 TOS=0x00 PREC=0x00 TTL=116 ID=30903 PROTO=UDP SPT=2112 DPT=60059 LEN=147
Jul 29 04:43:20 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=221.31.22.19 DST=my.ip.add.ress LEN=43 TOS=0x00 PREC=0x00 TTL=105 ID=2597 PROTO=UDP SPT=6257 DPT=60059 LEN=23
Jul 29 04:43:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=68.50.247.147 DST=my.ip.add.ress LEN=190 TOS=0x00 PREC=0x00 TTL=114 ID=25950 PROTO=UDP SPT=59025 DPT=60059 LEN=170
Jul 29 04:43:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=68.50.247.147 DST=my.ip.add.ress LEN=169 TOS=0x00 PREC=0x00 TTL=114 ID=25952 PROTO=UDP SPT=59027 DPT=60059 LEN=149
Jul 29 04:43:31 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=46.163.65.86 DST=my.ip.add.ress LEN=199 TOS=0x00 PREC=0x00 TTL=117 ID=12987 PROTO=UDP SPT=56856 DPT=60059 LEN=179
Jul 29 04:43:56 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=90.217.77.104 DST=my.ip.add.ress LEN=177 TOS=0x00 PREC=0x00 TTL=115 ID=14304 PROTO=UDP SPT=2711 DPT=60059 LEN=157
Jul 29 04:44:12 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=178.84.75.190 DST=my.ip.add.ress LEN=142 TOS=0x00 PREC=0x00 TTL=118 ID=41799 PROTO=UDP SPT=2844 DPT=60059 LEN=122
Jul 29 04:44:45 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=24.98.60.84 DST=my.ip.add.ress LEN=177 TOS=0x00 PREC=0x00 TTL=111 ID=2423 PROTO=UDP SPT=3968 DPT=60059 LEN=157
Jul 29 04:45:43 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=114.184.78.145 DST=my.ip.add.ress LEN=124 TOS=0x00 PREC=0x00 TTL=109 ID=8715 PROTO=UDP SPT=1262 DPT=60059 LEN=104
Jul 29 04:45:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=120.197.11.29 DST=my.ip.add.ress LEN=28 TOS=0x00 PREC=0x00 TTL=110 ID=19599 PROTO=ICMP TYPE=8 CODE=0 ID=299 SEQ=44068
Jul 29 04:46:14 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=114.184.78.145 DST=my.ip.add.ress LEN=124 TOS=0x00 PREC=0x00 TTL=109 ID=18607 PROTO=UDP SPT=1277 DPT=60059 LEN=104
Jul 29 04:48:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=79.27.22.113 DST=my.ip.add.ress LEN=109 TOS=0x00 PREC=0x00 TTL=114 ID=17010 PROTO=UDP SPT=63869 DPT=60059 LEN=89
Jul 29 04:48:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=79.27.22.113 DST=my.ip.add.ress LEN=105 TOS=0x00 PREC=0x00 TTL=114 ID=17013 PROTO=UDP SPT=63873 DPT=60059 LEN=85
Jul 29 04:52:04 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=193.40.58.14 DST=my.ip.add.ress LEN=165 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=16699 DPT=60059 LEN=145
Jul 29 04:52:22 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=193.40.58.14 DST=my.ip.add.ress LEN=165 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=16699 DPT=60059 LEN=145
结果netstat -lnptu显示如下:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2178/mysqld
tcp 0 0 0.0.0.0:33519 0.0.0.0:* LISTEN 1387/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1375/portmap
tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 3391/munin-node
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2193/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2246/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2933/master
tcp6 0 0 :::80 :::* LISTEN 748/apache2
tcp6 0 0 :::22 :::* LISTEN 2246/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1859/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 1375/portmap
udp 0 0 my.ip.add.ress:123 0.0.0.0:* 3325/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3325/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3325/ntpd
udp 0 0 0.0.0.0:715 0.0.0.0:* 1387/rpc.statd
udp 0 0 0.0.0.0:57208 0.0.0.0:* 1387/rpc.statd
udp6 0 0 ::1:123 :::* 3325/ntpd
udp6 0 0 fe80::fcfd:42ff:fee:123 :::* 3325/ntpd
udp6 0 0 :::123 :::* 3325/ntpd
有人知道这个端口上可能运行什么吗?这是我应该担心的事情吗?我是否应该考虑拒绝来自有问题的 IP 地址的传入连接?
答案1
该端口上没有众所周知的服务。某个机器人或其他机器人会监听该端口上的 C&C(“命令和控制”)。要么是有人在盲目扫描以寻找机器人的现有实例,要么您已被感染,恶意软件设法将其“我在这里”信号发送到 C&C,但您的防火墙阻止了实际控制机器人的尝试。鉴于源 IP 种类繁多,我倾向于认为这是分布式盲目扫描。
如果它正在进行中,那么数据包转储可能会对某些人有用。