Strange log entries, martian destination
Hi, today I had some strange log entries in my messages log: External source addresses to external dest address on my internal interface. And these exactly 10 seconds! Sometimes in this 10 seconds a internal address xx.xx.xx.xx tried to connect to a external address from AT&T. These address is a HP Deskjet 1120 on a ExtendNet SX (ESI 2841) printserver box. And there were messages with "martian destination" in these 10 seconds too. Some of these addresses are reserved, some are official addresses.
Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 91.168.63.123:51480 133.90.24.101:45686 L=40 S=0x00 I=53509 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 244.236.235.124:24475 140.202.207.61:13436 L=40 S=0x00 I=48522 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 104.161.59.77:33401 244.220.3.89:34119 L=40 S=0x00 I=28291 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 137.200.120.2:48503 5.116.24.73:14488 L=40 S=0x00 I=30175 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 189.114.54.9:42854 158.176.187.65:36878 L=40 S=0x00 I=36252 F=0x0000 T=64 SYN (#31) [...] Apr 1 15:00:28 linux kernel: Packet log: input DENY eth2 PROTO=6 xx.xx.xx.xx:10195 32.223.34.115:15138 L=40 S=0x00 I=8296 F=0x0000 T=30 (#31) [...] Apr 1 15:00:31 linux kernel: martian destination 26ae58f0 from e716450a, dev eth2 [...] Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 171.15.231.59:25185 139.24.120.54:52550 L=40 S=0x00 I=42486 F=0x0000 T=64 SYN (#31) Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 46.180.199.78:25009 170.227.122.106:64977 L=40 S=0x00 I=35370 F=0x0000 T=64 SYN (#31)
Has anyone an idea what this could be? regards Sven ...sorry for my bad english
On Thu, 2004-04-01 at 16:03, Sven Geipel wrote:
Hi,
today I had some strange log entries in my messages log:
External source addresses to external dest address on my internal interface. And these exactly 10 seconds! Sometimes in this 10 seconds a internal address xx.xx.xx.xx tried to connect to a external address from AT&T. These address is a HP Deskjet 1120 on a ExtendNet SX (ESI 2841) printserver box. And there were messages with "martian destination" in these 10 seconds too. Some of these addresses are reserved, some are official addresses.
Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 91.168.63.123:51480 133.90.24.101:45686 L=40 S=0x00 I=53509 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 244.236.235.124:24475 140.202.207.61:13436 L=40 S=0x00 I=48522 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 104.161.59.77:33401 244.220.3.89:34119 L=40 S=0x00 I=28291 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 137.200.120.2:48503 5.116.24.73:14488 L=40 S=0x00 I=30175 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 189.114.54.9:42854 158.176.187.65:36878 L=40 S=0x00 I=36252 F=0x0000 T=64 SYN (#31) [...] Apr 1 15:00:28 linux kernel: Packet log: input DENY eth2 PROTO=6 xx.xx.xx.xx:10195 32.223.34.115:15138 L=40 S=0x00 I=8296 F=0x0000 T=30 (#31) [...] Apr 1 15:00:31 linux kernel: martian destination 26ae58f0 from e716450a, dev eth2 [...] Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 171.15.231.59:25185 139.24.120.54:52550 L=40 S=0x00 I=42486 F=0x0000 T=64 SYN (#31) Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 46.180.199.78:25009 170.227.122.106:64977 L=40 S=0x00 I=35370 F=0x0000 T=64 SYN (#31)
Has anyone an idea what this could be? Yes, do a search on the web for 'martian destination' ...
regards Sven
...sorry for my bad english
--------------ms090307060109080502000503-- -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Ray Leach schrieb, On 01.04.2004 16:06:
On Thu, 2004-04-01 at 16:03, Sven Geipel wrote:
Hi,
today I had some strange log entries in my messages log:
[...]
Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 91.168.63.123:51480 133.90.24.101:45686 L=40 S=0x00 I=53509 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 244.236.235.124:24475 140.202.207.61:13436 L=40 S=0x00 I=48522 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 104.161.59.77:33401 244.220.3.89:34119 L=40 S=0x00 I=28291 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 137.200.120.2:48503 5.116.24.73:14488 L=40 S=0x00 I=30175 F=0x0000 T=64 SYN (#31) Apr 1 15:00:27 linux kernel: Packet log: input DENY eth2 PROTO=6 189.114.54.9:42854 158.176.187.65:36878 L=40 S=0x00 I=36252 F=0x0000 T=64 SYN (#31) [...] Apr 1 15:00:28 linux kernel: Packet log: input DENY eth2 PROTO=6 xx.xx.xx.xx:10195 32.223.34.115:15138 L=40 S=0x00 I=8296 F=0x0000 T=30 (#31) [...] Apr 1 15:00:31 linux kernel: martian destination 26ae58f0 from e716450a, dev eth2 [...] Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 171.15.231.59:25185 139.24.120.54:52550 L=40 S=0x00 I=42486 F=0x0000 T=64 SYN (#31) Apr 1 15:00:37 linux kernel: Packet log: input DENY eth2 PROTO=6 46.180.199.78:25009 170.227.122.106:64977 L=40 S=0x00 I=35370 F=0x0000 T=64 SYN (#31)
Has anyone an idea what this could be?
Yes, do a search on the web for 'martian destination' ...
Thanks, but this I made first of course. I know now what martian destination means, but how can I find out why and by what (machine) this packets are generated. And which role plays my extendnet print box xx.xx.xx.xx in this game? Why does it try to come to a AT&T address? best regards Sven
Hi Sven, On Thu, Apr 01, 2004 at 04:23:39PM +0200, Sven Geipel wrote:
Thanks, but this I made first of course. I know now what martian destination means, but how can I find out why and by what (machine) this packets are generated. And which role plays my extendnet print box xx.xx.xx.xx in this game? Why does it try to come to a AT&T address?
Just have a look with tcpdump. HP Printers tend to phone home :( printerstatus, usage ... Also some have a network time client. Have a look at the traffic. This should make it clear whats going on. Greetings Daniel -- Träume nicht Dein Leben, lebe Deinen Traum!
Daniel Lord schrieb, On 01.04.2004 16:53:
Hi Sven,
On Thu, Apr 01, 2004 at 04:23:39PM +0200, Sven Geipel wrote:
Thanks, but this I made first of course. I know now what martian destination means, but how can I find out why and by what (machine) this packets are generated. And which role plays my extendnet print box xx.xx.xx.xx in this game? Why does it try to come to a AT&T address?
Just have a look with tcpdump. HP Printers tend to phone home :( printerstatus, usage ... Also some have a network time client. Have a look at the traffic. This should make it clear whats going on.
Greetings Daniel
I had done a tcpdump, if I had a change. But these was the first time I saw these packets and only for these 10 seconds. No more packets before or after. So dump is really hard. And I also dont't know how to reproduce it. So I think the only thing I can do is to wait till it happens again... thanks and best regards Sven
participants (3)
-
Daniel Lord
-
Ray Leach
-
Sven Geipel