Explanation for two interesting attacks.
Hi, I got recently two "interesting" attacks (=not standard M$-kiddies / worms) and would be glad if someone would take the time to explain me what wanted to happen there (145.236.x.x are the dynamic addresses of a freenet provider; of course I don't use any 192.168.1.x-type internal addresses and have no 210.6.33.94 as gateway): Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ] Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) I'm sorry for any typos, I had to type this in, because had these issues only on a folded printout... Thank you, Pelibali
On Tuesday 07 November 2006 11:35, pelibali wrote:
Hi,
I got recently two "interesting" attacks (=not standard M$-kiddies / worms) and would be glad if someone would take the time to explain me what wanted to happen there (145.236.x.x are the dynamic addresses of a freenet provider; of course I don't use any 192.168.1.x-type internal addresses and have no 210.6.33.94 as gateway):
Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ]
You will get these all day long. Its either some windows machine plugged directly into the net (horrors) looking for a mate, or messenger spam. Starts at 1029 and runs upward from there. Plug a windows machine into the net and one of these is sure to pop up within minutes, saying Click here to improve internet security. ICQ can also use that port.
Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
That one above looks like what happens when Joe Sixpack plugs is router into his internet connection with the ports reversed. Its got 192.169 on the outside (toward the net) and its looking for windows machines. -- _____________________________________ John Andersen
On Tuesday 07 November 2006 21:35, pelibali wrote:
Hi,
I got recently two "interesting" attacks (=not standard M$-kiddies / worms) and would be glad if someone would take the time to explain me what wanted to happen there (145.236.x.x are the dynamic addresses of a freenet provider; of course I don't use any 192.168.1.x-type internal addresses and have no 210.6.33.94 as gateway):
Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ]
This is an ICMP redirect, telling you that if you want to get to 210.6.33.94, you need to use 210.6.33.94 as a gateway. It doesn't look like an attack (hint: not everything dropped by your firewall is an 'attack') as much as a misconfigured router (specifically the one with IP 210.6.34.56)
Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This is a standard Win98 style NETBIOS network browse.
Hi, On Wed, 8 Nov 2006 18:36:09 +0100 Anders Johansson <.> wrote:
Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ]
This is an ICMP redirect, telling you that if you want to get to 210.6.33.94, you need to use 210.6.33.94 as a gateway. It doesn't look like an attack (hint: not everything dropped by your firewall is an 'attack') as much as a misconfigured router (specifically the one with IP 210.6.34.56)
Yes, thank you; in fact that is why I asked, because couldn't decide for sure, if its a real attack or not! Needless to say that this host in Hong Kong was very likely never visited by me or my family. Probably random try or was sup- posed to come against the comp previously using "our" dynamic IP.
Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This is a standard Win98 style NETBIOS network browse.
Hmmm. I don't think that a Linux-only small network, hanging on a freenet provider would be normally contacted from outside with 192.168.1.x-type internal IP address. But the fact is that there every 20 seconds a kiddie or alike is knocking. Regards, Pelibali --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Anders Johansson
-
John Andersen
-
pelibali