Mailinglist Archive: opensuse (4633 mails)

< Previous Next >
Re: [opensuse] Intrusion attempt?
  • From: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
  • Date: Sun, 31 Dec 2006 14:51:59 +0100 (MET)
  • Message-id: <Pine.LNX.4.61.0612311441590.32449@xxxxxxxxxxxxxxx>

On Dec 31 2006 15:17, Hylton Conacher(ZR1HPC) wrote:
>Subject: [opensuse] Intrusion attempt?


> I have seen the following popup on my /var/log/messages and wonder what it
> could be especially as my current box has the IP of
> Dec 31 15:03:09 Spy kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT=

What we see here seems to be matching -m conntrack --ctstate INVALID.

> MAC=00:40:f4:cf:bc:a7:00:02:96:48:71:87:08:00 SRC=
> DST=

As you figured out, dst= is quite unlikely to be routable from Your ISP does not change that (heh - hopefully!) domain name pointer
Whois says:
IMR Worldwide PTY LTD MFN-N298--208-184-36-64-27 (NET-208-184-36-64-1) -

"""IMR Worldwide Pty Ltd , an Australian-based company, has formed a new
partnership with Taylor Nelson Sofres to establish a joint venture
specialising in market research focussing on the Internet.""" So you
know who that is.

> LEN=56 TOS=0x00 PREC=0x00 TTL=61 ID=50579 PROTO=TCP SPT=80 DPT=1202

It is highly unlikely that said box targeted you. The source port is 80,
usually for HTTP, plus you've got a Pty Ltd.

> WINDOW=8192
> RES=0x00 ACK SYN URGP=0 OPT (020405980101080A08A2DBAD01976D81)

This however is strange. It would mean you got a spurious SYN ACK in
your connection. Which can't be, since the connection is unknown
(INVALID, see above). The option string says: maximum segment size is
0x598 (1432), and some other bits not covered by RFC 793.

All in all my conclusion is: The packet you received is valid, as part
of _you_ establishing a connection (probably visiting a webpage with
ads), however, for some __strange__ reason, the connection is INVALID.

I have seen similar strange things with iptables/netfilter recently --
established connections just went INVALID for no apparent reason, yet
they continued to be listed as ESTABLISHED in `conntrack -L`.

What you can do in the short term: post the results of `iptables-save`,
it might reveal some oddity I just stumbled over yesterday. In the long
term, upgrading to iptables 1.3.7 (suser-jengelh) might solve the
problem, the more if iptables-save shows what I think it could show.

> ========================================================================
> Using SuSE 9.2 Professional with KDE and Mozilla Mail 1.7.13
> Linux user # 229959 at
> ========================================================================

I'll take notice. I don't have a repo for that, so iptables 1.3.7 only
for SUSE 10.2 (and most likely downwards compatible with 10.1 and

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups