Hi folks, I'm not really an newbye with Linux or SuSE but I'm not too deep in the matter so I need a helping hand. I've got a home-lan which consists of a Win2Kpro plus a Win98se workhorse and a notebook with SuSE 7.2 on it. Then there is an SuSE 7.0 "server" that manages T-DSL dial-on-demand as well as packetfiltering by SuSEfirewall2. The whole stuff runs nicely. :) Now I lately looked in the /var/log/messages and found masses of: --------------------------------------------------------- Oct 24 06:30:54 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64130 F=0x4000 T=108 SYN (#77) Oct 24 06:30:57 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=8821 F=0x4000 T=110 SYN (#77) Oct 24 06:30:57 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64279 F=0x4000 T=108 SYN (#77) Oct 24 06:31:03 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=17013 F=0x4000 T=110 SYN (#77) Oct 24 06:31:03 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64570 F=0x4000 T=108 SYN (#77) Oct 24 06:31:15 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=31093 F=0x4000 T=110 SYN (#77) --------------------------------------------------------- The source IPs change a lot. When I restart pppoed this flood is stopped for some time. Then it comes again and increases in volume. Currently I get a hit every second or so. At least tail -f /var/log/messages updates the screen at this rate. Threre are 3 little problems with this. 1) My Dial-On-Demand doesn't shut down since ppp0 doesn't idle 2) My poor old server's harddisk keeps clicking all the time 3) It bugs me that I don't know whats going on =8-} Though I have Morpheus and Bearshare on my Win2K box both weren't running since my last connect to the internet. There must be something in here which temps all the folks to sniff at port 6680 of the router. Could someone think of a way I can trace the application in my LAN that calls it's buddies ? Maybe it's a freak service of Win2Kpro ? I'm rather sure I have no linux daemon running on port 6680. Even if I had the hits are denied anyway. regards andreas
Hi Andreas, hi folks Andreas Fiesser wrote:
. . .<snip> Now I lately looked in the /var/log/messages and found masses of: --------------------------------------------------------- Oct 24 06:30:54 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64130 F=0x4000 T=108 SYN (#77)
1) From /my/ mail of 29-aug-2001 Hi all! Don't know if this (ever) been told to the list -- apologies, if everyone knows, if not it may be helpful for _all_ queries to log entries. If noticed the following link on another mailing-list (I'm subscribed to): http://www.echogent.com/cgi-bin/fwlog.pl *** ! simply put in (cut&paste) one of your log entries and get the result ! *** Didn't have (enough) time to verify if it's (really) resolving _all_ queries, but: a) all queries I've made, made sense in my cases and: b) I assume, they did a REALLY GOOD WORK (and are going on!!)!! 2) there are several sites, where you can search e.g. for Port 6680 (google is your friend -- hehe!) -- as it's in the range of the /registered/ ports [1024-49151] maybe it's a good point to start with the _normal_ use of the port??!! If the docs (IANA / RFC's) shows it as /unassigned/ you can be sure(?) that there's no _/*normal*/_ use! 3) have a look at those websites, that have listed the 'known trojan-ports, ...' (again google is your friend!) 4) look at every Win-box ( netstat -a ; netstat -? gives a short explanation for the possible options), to find out /who/ is waiting for connections on that port! 5) search the archive of _this_ mailing-list if anyoneelse refers to that port 6) ... 7) ... ok, ok maybe it's not what you've expected, but nevertheless HTH ;-) -- best greetings from Solingen /GERMANY Dieter Hürten
participants (2)
-
Andreas Fiesser
-
Dieter Huerten