On Fri, 2 Feb 2001, Tanner, Robby wrote:
> I have the following in my log file.
>
> Feb 2 03:37:23 weisktsv03 kernel: Packet log: input DENY eth0 PROTO=6
> 202.64.65.202:1619 24.68.176.193:98 L=60 S=0x00 I=41281 F=0x4000 T=45 SYN
> (#12)
> Feb 2 03:37:26 weisktsv03 kernel: Packet log: input DENY eth0 PROTO=6
> 202.64.65.202:1619 24.68.176.193:98 L=60 S=0x00 I=42927 F=0x4000 T=44 SYN
> (#12)
>
> It looks like this machine was trying to connect to Linuxconf. Is someone
> knocking on the door?
Whois on 202.64.65.202 points to APNIC, probably someone in HK.
Undoubtedly someone doing something bad unless you were trying to do admin
from Hong Kong.
> I also found:
>
> Feb 2 07:34:04 weisktsv03 kernel: Packet log: input DENY eth0 PROTO=6
> 212.205.59.145:3734 24.68.176.193:27374 L=48 S=0x00 I=32569 F=0x4000 T=118
> SYN (#12)
> What's this guy up to?
Sounds like a probe to see if a trojan is installed on your machine.
ArachIDS lists this as a port used by the Ramen worm.
Whois reports that this is someone in Greece?
> Feb 2 08:02:01 weisktsv03 kernel: Packet log: input DENY eth0 PROTO=17
> 207.195.38.51:137 24.68.176.193:137 L=78 S=0x00 I=2037 F=0x0000 T=118 (#12)
> 204.195.38.51 is SASK1, is this a SaskTel server? Is someone getting cute
> and trying to determine my server type?
Netbios probe ... looking for misconfigured Windows machines.
Probably another script kiddie.
> Feb 2 08:46:58 weisktsv03 kernel: Packet log: input DENY eth1 PROTO=17
> 204.112.20.157:14247 255.255.255.255:14247 L=34 S=0x00 I=17931 F=0x0000
> T=125 (#12)
> I don't know what these ports are for.
I'd guess some sort of streaming media off the top of my head.
> Feb 2 08:49:15 weisktsv03 kernel: Packet log: input DENY eth0 PROTO=17
> 198.163.176.3:996 24.68.176.193:1024 L=104 S=0x00 I=18530 F=0x0000 T=121
> (#12)
> 996 is the XTree license server. What the heck is that? Why is it trying
> to connect reserved port 1024?
I don't think 1024 is reserved ... everything below 1024 is reserved,
which usually means that 1024 ends up being used by portmapper? Anyway, it
is just another kiddie trying looking for a way in.
> Feb 2 08:51:10 weisktsv03 kernel: Packet log: input DENY eth1 PROTO=17
> 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=256 F=0x0000 T=32 (#12)
> What's going on here? Who is looking for a BOOTP server? Is this something
> to worry about.
Probably not ... someone on your network is looking for DHCP (DHCP and
BOOTP use the same ports for their queries).
> I invite your comments. Is there anything suspicious going on here?
Normal bad behavior. Script kiddies bulk scan networks looking for
vulnerabilities. I see this type of activity regularly.
It looks like you have a good, healthy paranoia and a reasonably good
firewall setup. If you want to be more paranoid, you can look at NIDS like
snort and portlogger.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
