On Tuesday 07 November 2006 21:35, pelibali wrote:
Hi,
I got recently two "interesting" attacks (=not standard M$-kiddies / worms) and would be glad if someone would take the time to explain me what wanted to happen there (145.236.x.x are the dynamic addresses of a freenet provider; of course I don't use any 192.168.1.x-type internal addresses and have no 210.6.33.94 as gateway):
Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ]
This is an ICMP redirect, telling you that if you want to get to 210.6.33.94, you need to use 210.6.33.94 as a gateway. It doesn't look like an attack (hint: not everything dropped by your firewall is an 'attack') as much as a misconfigured router (specifically the one with IP 210.6.34.56)
Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This is a standard Win98 style NETBIOS network browse.