I no the ip of my comp is totaly different that is why i was part of the reason i was wondering about the loop back traffic. I do have and lsof and i will look in to that to see what is going on.. And yesterday i saw a lot of traffic going in to and out of my DSL modem (physicaly seperate from my box) and i didnt show any new usage of the internet via netstat and my firwall monitoring utilitys.. do you think this could be a break in attempt or could i have already been broken in to?
Thanks Craig On Thu, Jan 17, 2002 at 09:09:19AM +1300, [EMAIL PROTECTED] wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Actually, most loopback devices respond to any IP within the 127/8 IP range, > because the entire /8 block is reserved for loopback purposes. > > The fact that a program is using it isn't a ''bad'' thing, although it is > extremely odd. > > I do have a few concerns though. Is 45.253.14.97 an IP address on the system? > If not, you may want to investigate as to why traffic to the loopback subnet is > being routed there. > > Also, f you're running a *NIX varient (Being snort, I guess so)... See if > there is a version of a utility called 'lsof' available for your system. What > that does is list information about open filedescriptors, including sockets > (tcp, udp, unix, etc), pipes, fifos, normal files, and more. > > The output from that may be able to give you some insight as to what is binding > to that port on your system, if indeed anything is. > > On 15-Jan-2002 Craig Van Tassle wrote: > > My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig > > shows me.. and i have no idea what program is running on that port. > > Do you think that i could have a possible intrusin? > > > > Thanks > > Craig > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > >> No, you can't bypass the firewall using the loopback interface. Whats > >> interesting though is the IP address they're using... usually loopback is > >> 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program > >> is running? > >> > >> -----Original Message----- > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > >> Sent: Monday, January 14, 2002 8:48 AM > >> To: secuirty-basics > >> Subject: loopback device > >> > >> > >> Is it possible for someone over a network to use my loopback to by pass my > >> firewall? If so what can i do to mitigate the problem and how damageing can > >> it be? > >> > >> The reason im asking is my Snort sytem is showing badd loopback traffic.. > >> thanks > >> > >> here is a snipit from my snort logs. > >> > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > >> [Classification: Potentially Bad Traffic] [Priority: 2] > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > >> ******S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > >> > >> Thanks > >> Craig > >> > >> > > - -- > Phillip O'Donnell > Software Engineer, Esphion Limited > [EMAIL PROTECTED] > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.1i > > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g > Ky+CD/KuL2KCESveLJw30Gb1 > =VjXg > -----END PGP SIGNATURE-----
msg03001/pgp00000.pgp
Description: PGP signature