Hi to all listmates, I found these lines in /var/log/messages: Jan 31 11:51:20 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 1> LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=19546 PROTO=TCP SPT=45274 DPT=21 WINDOW=3072 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000) Jan 31 12:01:53 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 2> LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=49052 PROTO=TCP SPT=54417 DPT=139 WINDOW=4096 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000) <external ip 1> and <external ip 2> are from the same subnet but are different. Is this a spoofing attack or what? -- Mario Libraro Web Applications Developer Fulltrading S.p.A. 00148 Roma - Via Di Affogalasino, 105 tel. +39 06 65 73 170 fax +39 06 65 73 529 mob. +39 347 5205 752 email: m.libraro@fulltrading.it m.libraro@tiresia.it web: www.fulltrading.it -- "I worry about my child and the Internet all the time, even though she's too young to have logged on yet. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'" Mike Godwin, Electronic Frontier Foundation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu 31 Jan 02 16:45, mario libraro wrote:
Hi to all listmates,
I found these lines in /var/log/messages:
Jan 31 11:51:20 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 1> LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=19546 PROTO=TCP SPT=45274 DPT=21 WINDOW=3072 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000)
Looks like <external ip 1> tried to ftp to your fw.
Jan 31 12:01:53 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 2> LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=49052 PROTO=TCP SPT=54417 DPT=139 WINDOW=4096 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000)
Looks like <external ip 2> tried to ftp to your fw.
<external ip 1> and <external ip 2> are from the same subnet but are different. Is this a spoofing attack or what?
Ray - -- - ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za Make money while you sleep! Visit http://www.quickinfo247.com/175692 "No matter where you go, there you are ..." - ---------------------------------------------------------------------- - -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d- s:+ a- C++ UL++++/S++++/*++++ P+ L++ E-- W+++ !N !o !K w--- O- M-- V-- !PS !PE Y-- PGP+++ t+@ 5- X+ R* tv+ b- DI++ D+ G e h* r++ z? - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8WWd0F1I6guFUFA0RAvQ1AJ9eB4EtbuhPEgw3HQXfl3KEPHQTRQCg26kB KnFtLSUgs2w16vVAYEwvXwo= =N+16 -----END PGP SIGNATURE-----
It looks like your firewall machine is trying to connect to those machines, as the destination ports are regular service ports (ftp & smb). McTrex ----- Original Message ----- From: mario libraro <m.libraro@fulltrading.it> To: <suse-security@suse.com> Sent: Thursday, January 31, 2002 3:45 PM Subject: [suse-security] SuSE-FW-OUTPUT-ERRORIN log
Hi to all listmates,
I found these lines in /var/log/messages:
Jan 31 11:51:20 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 1> LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=19546 PROTO=TCP SPT=45274 DPT=21 WINDOW=3072 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000)
Jan 31 12:01:53 goemon kernel: SuSE-FW-OUTPUT-ERRORIN= OUT=eth0 SRC=<my ip!> DST=<external ip 2> LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=49052 PROTO=TCP SPT=54417 DPT=139 WINDOW=4096 RES=0x00 URGP=0 OPT (03030A0102040109080A3F3F3F3F000000000000)
<external ip 1> and <external ip 2> are from the same subnet but are different. Is this a spoofing attack or what?
-- Mario Libraro Web Applications Developer
Fulltrading S.p.A. 00148 Roma - Via Di Affogalasino, 105 tel. +39 06 65 73 170 fax +39 06 65 73 529 mob. +39 347 5205 752 email: m.libraro@fulltrading.it m.libraro@tiresia.it web: www.fulltrading.it
--
"I worry about my child and the Internet all the time, even though she's too young to have logged on yet. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'"
Mike Godwin, Electronic Frontier Foundation
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (3)
-
Marco Teeuwen -
mario libraro -
Ray Leach