Carlos E. R. wrote:
The 03.09.16 at 16:45, Pep Serrano wrote:
martian source xxx.xxx.xxx.xxx from 127.0.0.1, on dev ppp0, where xxx.xxx.xxx.xxx is my public IP, the IP address in the interface ppp0.
Me too, starting today, and some other people:
Oct 4 13:43:08 nimrodel kernel: martian source 212.166.94.23 from 127.0.0.1, on dev ppp0 Oct 4 13:43:08 nimrodel kernel: ll header: 45:08:00:28 Oct 4 13:43:58 nimrodel kernel: martian source 212.166.94.23 from 127.0.0.1, on dev ppp0 Oct 4 13:43:58 nimrodel kernel: ll header: 45:08:00:28
The address 212.166.94.23 is my IP, asigned temporarily for this connection only by the my provider (tiscali), by modem. It is thus impossible to receive from internet packets from the 127.0.0.1 address... But we are!
That's why they named them "martian" source.
It must be some new worm, virus, or whatever.
Has anyone else figured out what this was? Today I got: Oct 22 12:54:50 mars kernel: martian source xx.xxx.xx.xxx from 127.0.0.1, on dev ppp0 Oct 22 12:54:50 mars kernel: ll header: 45:08:00:28 mars:~ # tcpdump -X -s 0 -n -vvv net 127.0.0.1 -i any tcpdump: WARNING: Promiscuous mode not supported on the "any" device tcpdump: listening on any 12:54:50.901690 127.0.0.1.80 > xx.xxx.xx.xxx.1947: R [tcp sum ok] 0:0(0) ack 1759903745 win 0 (ttl 126, id 61929, len 40) 0x0000 4500 0028 f1e9 0000 7e06 3050 7f00 0001 E..(....~.0P.... 0x0010 42f8 589d 0050 079b 0000 0000 68e6 0001 B.X..P......h... 0x0020 5014 0000 2468 0000 P...$h.. Where xx.xxx.xx.xxx is my dialup IP on ppp0. I'm not sure what this means and I cannot read much of this packet info. Does anyone know why it's happening? Interesting that it's on port 80 eh' -- Micxz