firewall detected outgoing sub7 connect attmept !!!???
 

ive removed the IP addresses.

i normally use my own iptables firewall, but recently deicded to give firestarter a go.
i have opened port 1214.

this shows the source port as 1214, destination port as 1234 (the SubSeven Port)

plus im getting huge abounts of SHELL CODE SETUID 0 and x86 NOOP packets.

is this anything to worry about ?

Why do you have port 1214 open?

That warning is triggered by the use of port 1234, so it's prone to false positives because most systems will use unprivileged ports >1023 as the source port for connections. Since this increments as more connections are made, the use of 1234 is not that uncommon. The shell code and NOP sled in packets is more of a concern, but is that associated with this connection (same IP address, ports, time, etc)? Seeing them randomly due to all the windows malware is quite common and could just be coincidence, but if it's associated somehow with the other traffic then it might be something to be concerned about. Capturing some full packet dumps of the traffic with tcpdump might be informative.

Well there's really no reason why your box should be making connections to arbitrary (or not so arbitrary) high ports on another box. The shellcode attacks could be worrisom if they're going to services on your box that could be vulnerable. It's probably a good idea to check for rootkits at this point and start looking into where all that shellcode is being directed. There's a fair chance that you have exploitable services running.

Those are outbound replies, no? Look like response packets to incoming connection attempts to port 1214 on his system.

Whoops, yeah I didn't scroll all the way to the right. Sure enough that's trying to complete the handshake. By the way, 1214 is usually associated with Kaaza, so it could be a file sharing client running locally and some remote host connecting to it in an attempt to view shared files.

Whether the shellcode stuff is something to be worried about depends entirely on what service it's targeting. I've seen a lot of shellcode hitting my Apache server for the last several months, but it targets an IIS vulnerability so it's not concerning at all. On the other hand, if it targeted PHP and mod_php is loaded, that could be troubling.

the shellcode is all from the same IP, and comming in large bursts. but it is going to a high port which is stealthed by by firewall, and has no services listening on it.

thanks... ill check for rootkins next time i powerdown (with knoppix)
whats worrying me is the way someone is sending shellcode to a firewalled port with no servies running.

maybe this guy was confusing my ip with anouther ?
or maybe a root kit falsifying "iptables -vL" and "netstat -l" output ????

anyways.. thanks for the replys.

Might want to try a running a scan with chrootkit and/or rootkit hunter while the system up a running as well. If you have a file integrity scanner like tripwire, now would be a good time to run a check.

Also, try performing a port scan of the box from a remote system (a second machine or even one of those free online scans) to see if the firewall is performing as it should. Alternatively you could compare md5 sums of the iptables and netstat binaries to that of "known good" versions to rule out trojans.