Hi, I have now setup a iptables packetfilter. Works fine, but today I have added a log, for all packets that should be droped/rejected. And I found some entries I cant explain. The first is this one: Jun 7 18:51:44 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=81 TOS=0x00 PREC=0xC0 TTL=255 ID=9997 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.2 [SRC=192.168.1.2 DST=192.168.1.2 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3456 DPT=3456 LEN=33 ] Jun 7 18:52:40 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=81 TOS=0x00 PREC=0xC0 TTL=255 ID=10002 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.2 [SRC=192.168.1.2 DST=192.168.1.2 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3456 DPT=3456 LEN=33 ] Jun 7 18:54:02 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=81 TOS=0x00 PREC=0xC0 TTL=255 ID=10006 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.2 [SRC=192.168.1.2 DST=192.168.1.2 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3456 DPT=3456 LEN=33 ] Jun 7 18:56:00 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=81 TOS=0x00 PREC=0xC0 TTL=255 ID=10013 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.2 [SRC=192.168.1.2 DST=192.168.1.2 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3456 DPT=3456 LEN=33 ] They always come four times, and these about every 2.20 hours. (192.168.1.1 is my router and gateway, 192.168.1.2 is my pc and I have forwarded tcp port 3456 and udp port 3456). What are they for? icmp-type: redirect And what is the MAC? Mine is 00:e0:7d:c5:e4:f3 the routers is 00:50:ba:b8:a3:05 and what is the 08:00 for? And then I get multiple of these entries (I used overnet at that point, something like edonkey or emule => I connected to them and then getting some rejected ACK-RST and ACK-SYN): Jun 7 21:02:58 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.130.125.169 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34020 PROTO=TCP SPT=4662 DPT=3492 WINDOW=0 RES=0x00 ACK RST URGP=0 Jun 7 21:05:59 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=172.181.56.71 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=10686 PROTO=TCP SPT=4662 DPT=3638 WINDOW=0 RES=0x00 ACK RST URGP=0 Jun 7 21:07:16 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=212.183.85.147 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=5653 PROTO=TCP SPT=4662 DPT=3746 WINDOW=0 RES=0x00 ACK RST URGP=0 Jun 7 21:11:05 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.139.182.236 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=11282 PROTO=TCP SPT=4662 DPT=4038 WINDOW=0 RES=0x00 ACK RST URGP=0 Jun 7 21:13:13 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.130.125.169 DST=192.168.1.2 LEN=64 TOS=0x00 PREC=0x00 TTL=123 ID=58278 DF PROTO=TCP SPT=4662 DPT=4223 WINDOW=16944 RES=0x00 ACK SYN URGP=0 Jun 7 21:13:16 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.130.125.169 DST=192.168.1.2 LEN=64 TOS=0x00 PREC=0x00 TTL=123 ID=58388 DF PROTO=TCP SPT=4662 DPT=4223 WINDOW=16944 RES=0x00 ACK SYN URGP=0 Hopefully you can explain me these masseges, coz I dont want to block some important packets. Greets, Markus
On Saturday 07 June 2003 22:09, Markus Hochmann wrote:
... And then I get multiple of these entries (I used overnet at that point, something like edonkey or emule => I connected to them and then getting some rejected ACK-RST and ACK-SYN):
I've no answer for your question, but be careful with edonkey, emule and other P2P systems: I've received this morning a security advice, and it seems there are a worm that uses this channel for autodistribution. The message don't comment if this worm is BugBear.B, Sobig.C, or a new one. Regards, Pedro
Am Sonntag, 8. Juni 2003 11:11 schrieb Pedro Cáliz:
On Saturday 07 June 2003 22:09, Markus Hochmann wrote:
... And then I get multiple of these entries (I used overnet at that point, something like edonkey or emule => I connected to them and then getting some rejected ACK-RST and ACK-SYN):
I've no answer for your question, but be careful with edonkey, emule and other P2P systems: I've received this morning a security advice, and it seems there are a worm that uses this channel for autodistribution. The message don't comment if this worm is BugBear.B, Sobig.C, or a new one. I _never_ heard of a worm that uses eDonkey or Overnet! Would you be able to send this security advice to me (not to the list)?
Regards, Pedro Greets, Markus
PS: Does nobody else know, how to interpret these log massages? Any hint, link, ... would help me _much_.
participants (2)
-
Markus Hochmann
-
Pedro Cáliz