* Carlos E. R.; <robin1.listas@tiscali.es> on 04 Oct, 2003 wrote:
The 03.09.16 at 16:45, Pep Serrano wrote:
martian source xxx.xxx.xxx.xxx from 127.0.0.1, on dev ppp0, where xxx.xxx.xxx.xxx is my public IP, the IP address in the interface ppp0.
Me too, starting today, and some other people:
Oct 4 13:43:08 nimrodel kernel: martian source 212.166.94.23 from 127.0.0.1, on dev ppp0 Oct 4 13:43:08 nimrodel kernel: ll header: 45:08:00:28 Oct 4 13:43:58 nimrodel kernel: martian source 212.166.94.23 from 127.0.0.1, on dev ppp0 Oct 4 13:43:58 nimrodel kernel: ll header: 45:08:00:28
The address 212.166.94.23 is my IP, asigned temporarily for this connection only by the my provider (tiscali), by modem. It is thus impossible to receive from internet packets from the 127.0.0.1 address... But we are!
IIRC one of the recent worms were using windowsupdate.com with an address of 127.0.0.1 and microsoft had to drop the DNS record for windowsupdate.com
It must be some new worm, virus, or whatever.
If you have "snort" installed and configured and running you may see the following in your alert file [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/09-12:15:56.007958 127.0.0.1:80 -> 212.xxx.xxx.18:1084 TCP TTL:122 TOS:0x0 ID:49522 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x151F0001 Win: 0x0 TcpLen: 20 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/09-12:56:41.217636 127.0.0.1:80 -> 212.xxx.xxx.16:1813 TCP TTL:122 TOS:0x0 ID:8526 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2AF30001 Win: 0x0 TcpLen: 20 [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/09-13:05:24.182710 127.0.0.1:80 -> 212.xxx.xxx.19:1644 TCP TTL:122 TOS:0x0 ID:9273 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x1560001 Win: 0x0 TcpLen: 20 What is interesting is the packets have RST and ACK flags So looks like some kind of worm (blaster welchia type) is in the wild and based on the TTL being 122 I am making an assumption that the infected machine is running a Windows system (since TTL is 128 for them after NT) and the infected machine is 6 hops away from my network Yet this is all I can say :-( -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx