Re: [leaf-user] What's this guy trying?

Mon, 14 Oct 2002 14:54:29 -0700 

See below.

At 11:29 PM 10/14/02 +0200, Jon Clausen wrote:
>Logged into a remote Dachstein box to check up on something else, and I
>see huge amounts of denied packets in /var/log/messages...
>
>Connection attempts from f.x:
>
>10.131.224.1:3 -> 62.243.222.62:1
>^^unknown^^       ^^my remote^^
>
>I see a bunch of these from different IPs (that is, from port 3 to port
>1)... dunno what to make of that,

Me either. Please provide the full line for the blocked packet (as you did 
with the second example,  below), not an uninterpretable fragment. This 
*could* just be icmp type 3, message 1 ("host unreachable"). Or it could be 
something else, since you don't tell us (for example) what the PROTO= value 
is..

>but then there's this guy:
>
># grep 65.82.107.120 $_ | nl
>      1  Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0
>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x0000 T=45
>(#2)
>
><continues in 'bursts' to:>
>...
>
>    164  Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0
>PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x0000 T=45
>(#2)
>
>is this some kind of DoS? Am I under attack, or is it just some
>misconfigured box?

Probably none of the above. PROTO=1 means icmp, and "port" 5 (it's really a 
message type, not a port, when icmp is involved) means it is an icmp 
redirect packet. The packet should be telling you that this host is not the 
preferred  route to some destination. Whether this means a problem with 
your routing table or someone else's is unknowable from the information you 
have provided.

>I nmapped the IP, and the only thing that came up was:
>Port       State       Service
>1433/tcp   open        ms-sql-s
>
>-so I'm guessing it's a zombie windows host... (?)



--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski                                   -- Han Solo
Palo Alto, California, USA                        [EMAIL PROTECTED]
-------------------------------------------------------------------------------



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to