do these log entries document attacks?
hallo friends of linux does anybody know what i´ve got here, where X.X.X.1 is the box which logs these messages? 1) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=59472 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=60496 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=337 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=3921 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=6993 F=0x4000 T=111 SYN (#42) Mar 27 19:46:41 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=18257 F=0x4000 T=111 SYN (#42) 2) Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.1:28431 L=29 S=0x00 I=44573 F=0x0000 T=119 (#42) Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.255:28431 L=29 S=0x00 I=45597 F=0x0000 T=119 (#42) 3) Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1002 X.X.X.1:111 L=60 S=0x00 I=38602 F=0x4000 T=49 SYN (#42) Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1006 X.X.X.255:111 L=60 S=0x00 I=38606 F=0x4000 T=49 SYN (#42) 4) Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=34799 F=0x4000 T=46 SYN (#42) Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2716 X.X.X.255:53 L=60 S=0x00 I=34843 F=0x4000 T=46 SYN (#42) Mar 28 02:17:17 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=36023 F=0x4000 T=46 SYN (#42) 5) Mar 28 08:36:18 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61465 F=0x0000 T=105 (#42) Mar 28 08:36:20 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61721 F=0x0000 T=105 (#42) Mar 28 08:36:21 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61977 F=0x0000 T=105 (#42) tia cg
On my Freebsd box I have zip 6/ddp #Zone Information Protocol I did not see anything like it in the /etc/services file on my SuSE machine. On Wed, 28 Mar 2001, Christian Gorski wrote:
hallo friends of linux
does anybody know what i�ve got here, where X.X.X.1 is the box which logs these messages?
1)
Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=59472 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=60496 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=337 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=3921 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=6993 F=0x4000 T=111 SYN (#42) Mar 27 19:46:41 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=18257 F=0x4000 T=111 SYN (#42)
2)
Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.1:28431 L=29 S=0x00 I=44573 F=0x0000 T=119 (#42) Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.255:28431 L=29 S=0x00 I=45597 F=0x0000 T=119 (#42)
3)
Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1002 X.X.X.1:111 L=60 S=0x00 I=38602 F=0x4000 T=49 SYN (#42) Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1006 X.X.X.255:111 L=60 S=0x00 I=38606 F=0x4000 T=49 SYN (#42)
4)
Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=34799 F=0x4000 T=46 SYN (#42) Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2716 X.X.X.255:53 L=60 S=0x00 I=34843 F=0x4000 T=46 SYN (#42) Mar 28 02:17:17 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=36023 F=0x4000 T=46 SYN (#42)
5)
Mar 28 08:36:18 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61465 F=0x0000 T=105 (#42) Mar 28 08:36:20 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61721 F=0x0000 T=105 (#42) Mar 28 08:36:21 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61977 F=0x0000 T=105 (#42)
tia cg
according to services this is quote of the day.
2)
Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.1:28431 L=29 S=0x00 I=44573 F=0x0000 T=119 (#42) Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.255:28431 L=29 S=0x00 I=45597 F=0x0000 T=119 (#42)
3)
Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1002 X.X.X.1:111 L=60 S=0x00 I=38602 F=0x4000 T=49 SYN (#42) Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1006 X.X.X.255:111 L=60 S=0x00 I=38606 F=0x4000 T=49 SYN (#42)
4)
Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=34799 F=0x4000 T=46 SYN (#42) Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2716 X.X.X.255:53 L=60 S=0x00 I=34843 F=0x4000 T=46 SYN (#42) Mar 28 02:17:17 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=36023 F=0x4000 T=46 SYN (#42)
5)
Mar 28 08:36:18 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61465 F=0x0000 T=105 (#42) Mar 28 08:36:20 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61721 F=0x0000 T=105 (#42) Mar 28 08:36:21 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61977 F=0x0000 T=105 (#42)
tia cg
Hello Christian, I've just read a story on The Register about the mutating nature of the Lion worm (http://www.theregister.co.uk/content/8/17929.html). Reading the following quote from the article and remembering your posting did indeed ring some bells: "The new Lion worm sets up an HTTP server on port 27374 and erects a page bearing greetz from the Lion crew" So your log entries possibly are a Lion attack signature? I wonder ... Regards, Martin On Wednesday 28 March 2001 12:11, Christian Gorski wrote:
hallo friends of linux
does anybody know what i´ve got here, where X.X.X.1 is the box which logs these messages?
1)
Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=59472 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=60496 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=337 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=3921 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=6993 F=0x4000 T=111 SYN (#42) Mar 27 19:46:41 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=18257 F=0x4000 T=111 SYN (#42) ... snip ...
-- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de
[ Please consider not using HTML stuff in mailing lists ] On Wed, Mar 28, 2001 at 12:11 +0200, Christian Gorski wrote:
1) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=59472 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=60496 F=0x4000 T=111 SYN (#42)
tcp 27374 is some SubSeven version (a trojan), somebody scans .1 (assuming it's the router) plus .255 (trying to get an answer from triggering the broadcast address instead of querying every single address)
2) Mar 27 20:26:44 linux kernel: Packet log: input DENY eth0 PROTO=17 212.93.208.240:28432 X.X.X.1:28431 L=29 S=0x00 I=44573 F=0x0000 T=119 (#42)
udp 28432? don't know
3) Mar 27 21:38:29 linux kernel: Packet log: input DENY eth0 PROTO=6 207.194.143.211:1002 X.X.X.1:111 L=60 S=0x00 I=38602 F=0x4000 T=49 SYN (#42)
tcp 111 -- portmapper and mostly NFS related, no sane person serves NFS in public or offers RPC based services :)
4) Mar 28 02:17:11 linux kernel: Packet log: input DENY eth0 PROTO=6 207.18.60.53:2712 X.X.X.1:53 L=60 S=0x00 I=34799 F=0x4000 T=46 SYN (#42)
tcp 53 -- domain or often named DNS, probably some axfr probe or version query, you don't run BIND do you? :>
5) Mar 28 08:36:18 linux kernel: Packet log: input DENY eth0 PROTO=17 210.104.121.253:55675 X.X.X.1:137 L=78 S=0x00 I=61465 F=0x0000 T=105 (#42)
udp 137 -- SMB / Windoze network stuff It might not be an actual attack but more one of the scans you see on a daily basis ... Nothing to worry about as long as you don't run unnecessary services / software and keep the used programs up to date and well configured. See the SuSE security FAQ for more info and literature references. Visit the mailing list's archive. Get some book on basic networking and look at /etc/services yourself to find out which service is supposed to get contacted. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (4)
-
Christian Gorski
-
Gerhard Sittig
-
Martin Leweling
-
semat