Hello, I've just picked up my mail. And I have a question! For the first time I got two messages at the same time. One of them was in my netscape. When I tried to remove a mail ( from this mailing list), netscape warned me that sender asked for replay??? Second one was found in /var/log/messages or with dmesg at the same time: Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=29717 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=32533 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=43029 F=0x4000 T=124 SYN (#31) What doest it mean? Does it remind you of some windows viruses? I have suse linux 6.3 and I don't use any other OS! I will preciate any answer. Thank you Dragan msc -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
DRagan wrote:
For the first time I got two messages at the same time. One of them was in my netscape. When I tried to remove a mail ( from this mailing list), netscape warned me that sender asked for replay???
Are you sure it didn't say that the 'Sender requested a receipt' or something? It is possible for people to request receipts for messages, so that they know that a person has received a message. It's nothing to worry about - it's up to you whether you send one.
Second one was found in /var/log/messages or with dmesg at the same time:
Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=29717 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=32533 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=43029 F=0x4000 T=124 SYN (#31)
What doest it mean?
This means that someone has tried to access your computer as if it was a web server. You shouldn't worry about this unless there are lots of similar messages with different numbers in place of the 80 in your example.
Does it remind you of some windows viruses? I have suse linux 6.3 and I don't use any other OS!
Hope that helps, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Thanks Chris, I preciate your help very much. Yes, the first message was 'Sender requested a receipt'! I didn't use my computer as a web server last night. This was the last message last night. Packet log: input ACCEPT ppp0 PROTO=6 191.73.50.8:1063 313.240.0.40:1227 L=44 S=0x00 I=37633 F=0x4000 T=14 SYN (#18) Dragan msc Chris Reeves wrote:
DRagan wrote:
For the first time I got two messages at the same time. One of them was in my netscape. When I tried to remove a mail ( from this mailing list), netscape warned me that sender asked for replay???
Are you sure it didn't say that the 'Sender requested a receipt' or something? It is possible for people to request receipts for messages, so that they know that a person has received a message. It's nothing to worry about - it's up to you whether you send one.
Second one was found in /var/log/messages or with dmesg at the same time:
Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=29717 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=32533 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=43029 F=0x4000 T=124 SYN (#31)
What doest it mean?
This means that someone has tried to access your computer as if it was a web server. You shouldn't worry about this unless there are lots of similar messages with different numbers in place of the 80 in your example.
Does it remind you of some windows viruses? I have suse linux 6.3 and I don't use any other OS!
Hope that helps, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
DRagan wrote:
Yes, the first message was 'Sender requested a receipt'!
I didn't use my computer as a web server last night.
All that message meant was that someone tried to access your computer as if it *was* a web server. They could, for example, have put your IP address in the location bar of Netscape or Lynx or whatever, which would produce this message on your computer.
This was the last message last night. Packet log: input ACCEPT ppp0 PROTO=6 191.73.50.8:1063 313.240.0.40:1227 L=44 S=0x00 I=37633 F=0x4000 T=14 SYN (#18)
This is even less worrying than before, IMHO. Unless there's some backdoor that usually listens on port 1227, which I don't think there is, this is just a case of excessive logging. Just to make sure you don't have anything running on port 1227, do a: netstat -ta |grep 1227 cat /etc/services |grep 1227 If neither of these return anything, it means that a connection wasn't established (since nothing is listening on that port). To expand on what I said before, you should only be worrying when you get lots of attempted connections from the same IP address (in this case 191.73.50.8) going to ports on your computer which are mostly below 1024 (in your case the connection was to port 1227). Take special notice if you're getting DENY messages relating to ports 21, 23, 25, 110, 139, etc.
Chris Reeves wrote:
DRagan wrote:
For the first time I got two messages at the same time. One of them was in my netscape. When I tried to remove a mail ( from this mailing list), netscape warned me that sender asked for replay???
Are you sure it didn't say that the 'Sender requested a receipt' or something? It is possible for people to request receipts for messages, so that they know that a person has received a message. It's nothing to worry about - it's up to you whether you send one.
Second one was found in /var/log/messages or with dmesg at the same time:
Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=29717 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=32533 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=43029 F=0x4000 T=124 SYN (#31)
What doest it mean?
This means that someone has tried to access your computer as if it was a web server. You shouldn't worry about this unless there are lots of similar messages with different numbers in place of the 80 in your example.
Does it remind you of some windows viruses? I have suse linux 6.3 and I don't use any other OS!
-- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Thanks Chris, for these advices. There is nothing on this port %(netstat -ta |grep 1227) %(> cat /etc/services |grep 1227). Thank you for your time! Dragan msc Chris Reeves wrote:
DRagan wrote:
Yes, the first message was 'Sender requested a receipt'!
I didn't use my computer as a web server last night.
All that message meant was that someone tried to access your computer as if it *was* a web server. They could, for example, have put your IP address in the location bar of Netscape or Lynx or whatever, which would produce this message on your computer.
This was the last message last night. Packet log: input ACCEPT ppp0 PROTO=6 191.73.50.8:1063 313.240.0.40:1227 L=44 S=0x00 I=37633 F=0x4000 T=14 SYN (#18)
This is even less worrying than before, IMHO. Unless there's some backdoor that usually listens on port 1227, which I don't think there is, this is just a case of excessive logging. Just to make sure you don't have anything running on port 1227, do a: netstat -ta |grep 1227 cat /etc/services |grep 1227
If neither of these return anything, it means that a connection wasn't established (since nothing is listening on that port).
To expand on what I said before, you should only be worrying when you get lots of attempted connections from the same IP address (in this case 191.73.50.8) going to ports on your computer which are mostly below 1024 (in your case the connection was to port 1227). Take special notice if you're getting DENY messages relating to ports 21, 23, 25, 110, 139, etc.
Chris Reeves wrote:
DRagan wrote:
For the first time I got two messages at the same time. One of them was in my netscape. When I tried to remove a mail ( from this mailing list), netscape warned me that sender asked for replay???
Are you sure it didn't say that the 'Sender requested a receipt' or something? It is possible for people to request receipts for messages, so that they know that a person has received a message. It's nothing to worry about - it's up to you whether you send one.
Second one was found in /var/log/messages or with dmesg at the same time:
Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=29717 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=32533 F=0x4000 T=124 SYN (#31) Packet log: input DENY ppp0 PROTO=6 191.243.118.70:1271 313.240.2.1:80 L=48 S=0x00 I=43029 F=0x4000 T=124 SYN (#31)
What doest it mean?
This means that someone has tried to access your computer as if it was a web server. You shouldn't worry about this unless there are lots of similar messages with different numbers in place of the 80 in your example.
Does it remind you of some windows viruses? I have suse linux 6.3 and I don't use any other OS!
-- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (2)
-
chris.reeves@iname.com -
ddj@EUnet.yu