Different handling of privileged ports by scanlogd-2.0 by Solar Designer, aviable at www.openwall.com/scanlogd Don't bother Solar Designer with bug reports or complaints about this hack but send your comments to Steffen Dettmer if you feel a need. Keep in mind, that this is not an official feature at all, there is no offical statement by Solar Designer or something. Of course this code comes as-is without any warranties. Description (Draft) Some of the entries by scanlogd (on some hosts of course) are FTP-Transfers, on FTP Servers almost all. It's possible to hide a portscan behind a FTP transfer (or a look-a-like). A scan that scanned some highports before scanning the interessting ports wouldn't be different logged than a FTP transfer. An administrator couldn't see a difference. A problem is: it's very easy to hide a scan, if the scanner scans some (maybe 10) hi-ports first, and then the interesting priviliged ports. Programms like "nmap" make it easy to use the FTP Port as source, so it looks like a active FTP transfer. Now I felt it would nice if scanlogd could make a difference between non-privileged and privileged target ports, and so I tried to implement this feature. The patch logs scanned privileged ports additionally, so in the logfile will not only a list of the first ten (possibly unpriviliged ones only) tried ports, but additionally the first privileged ports. Useing the patch doesn't reduce the number of entries, and I would wonder if there would change anything (when we talk about some hunderds of files FTP'ing). Another interesting thing: Even the false positves include priviliged port accesses: ftp, mail and www port (the person told, she looks at the pages while uploading. Sending mail just happens :) ). With the patch, I would see if there's an packet for telnet (or whatever) port too (in a second log entry). Otherwise I just get a list like 4901, 4901, ... 4910, ...; so I see 25, 80 (and the other scanned privileged ports if there are more than MIN_COUNT). Second, if a person guess that scanlogd is running, i.e. a blind telnet reports "SuSE 6.1\n\nlogin:" or so (yes, it's enabled for world by default!), the attacker could use it: just scanning from high source port ten times a day (the admin sees this log entry ten times a day. After a week he wouldn't look so close like he should I think). Then the priviliged ports are included - but on this scan the first 100 tries go to 4900++ ports. scanlog would report: scanlogd: 127.0.0.1 to 127.0.0.1 ports 21, 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, ..., f??pauxy, TOS 00 @03:51:56 The patched one reports in the same case exactly this and additional: scanlogd: 127.0.0.1 to 127.0.0.1 PRIVILEGED ports 21, 80, 81, 82, 83, 84, ..., 5900, 5901, 5902, 5903, ..., f??pauxy, TOS 00 @03:51:56 (the test script scans port 21, 22 times 5900++, 10 times 80++ simply). Even if the admin got ftp look-a-likes ten times a day, NOW he would got a different message. Of course it's difficult to say how realistic such an attack is - but if I would be an intruder, I would try it in such a way. Even the commercial detectors (ok, I know RealSecure Intrusion Detection only ;)) with the GUI interface become unreadble in front of heavly loaded FTP Servers - so the attackers would fake what's possible to hide themselfes.