Vakvarju wrote on Sat Oct 02 2004 - 10:57:25 CEST:

Hi all,

I had this morning this message in my /var/log/warn file. Any idea what can it be?

Suspect TCP fragment. eth1 PROTO=6 80.95.79.9:0 10.0.11.15:0 L=40 S=0x00 I=0 F=0x0001 T=254 (#0) icmp_send: destinationless packet icmp_send: destinationless packet icmp_send: destinationless packet icmp_send: destinationless packet

---<text trimed>---

Vakvarju

Hi, I did a little "google search" There are lots emails discussing: "Suspect TCP fragment" One of them said: I assume the computer you are dealing with is a firewall and nothing else. There is a fragment attack that tries to sneak past sentry programs by sending fragment tcp statements a few parts at a time. Its only dangerous if you are running a vulnerable system to the normal attack. (I forget the exact terminology) But before suspecting foul play there are a few things to look at 1) Its a new month and your cron.monthly may have rotated your wtmp files. Check /var/log/ for files like wtmp.1 or try: last -f /var/log/wtmp.1 2) Check out www.sans.org they have a nice series of articles for general security and linux security. Reference: http://www.icarus.net/linux-users/2001/msg00212.html HTH, -- __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp