[opensuse] Intrusion attempt?
I have seen the following popup on my /var/log/messages and wonder what it could be especially as my current box has the IP of 10.0.0.14: Dec 31 15:03:09 Spy kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:40:f4:cf:bc:a7:00:02:96:48:71:87:08:00 SRC=208.184.36.73 DST=10.0.0.14 LEN=56 TOS=0x00 PREC=0x00 TTL=61 ID=50579 PROTO=TCP SPT=80 DPT=1202 WINDOW=8192 RES=0x00 ACK SYN URGP=0 OPT (020405980101080A08A2DBAD01976D81) Any clues or someone hacking their way thru my ISP network onto my ADSL cnx? TIA -- ======================================================================== Using SuSE 9.2 Professional with KDE and Mozilla Mail 1.7.13 Linux user # 229959 at http://counter.li.org ======================================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Dec 31 2006 15:17, Hylton Conacher(ZR1HPC) wrote:
Subject: [opensuse] Intrusion attempt?
Hardly.
I have seen the following popup on my /var/log/messages and wonder what it could be especially as my current box has the IP of 10.0.0.14:
Dec 31 15:03:09 Spy kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= ^^^
What we see here seems to be matching -m conntrack --ctstate INVALID.
MAC=00:40:f4:cf:bc:a7:00:02:96:48:71:87:08:00 SRC=208.184.36.73 DST=10.0.0.14
As you figured out, dst=10.0.0.14 is quite unlikely to be routable from 208.184.36.73. Your ISP does not change that (heh - hopefully!) 73.36.184.208.in-addr.arpa domain name pointer 208.184.36.73.available. Whois says: IMR Worldwide PTY LTD MFN-N298--208-184-36-64-27 (NET-208-184-36-64-1) 208.184.36.64 - 208.184.36.95 """IMR Worldwide Pty Ltd , an Australian-based company, has formed a new partnership with Taylor Nelson Sofres to establish a joint venture specialising in market research focussing on the Internet.""" So you know who that is.
LEN=56 TOS=0x00 PREC=0x00 TTL=61 ID=50579 PROTO=TCP SPT=80 DPT=1202
It is highly unlikely that said box targeted you. The source port is 80, usually for HTTP, plus you've got a Pty Ltd.
WINDOW=8192 RES=0x00 ACK SYN URGP=0 OPT (020405980101080A08A2DBAD01976D81)
This however is strange. It would mean you got a spurious SYN ACK in your connection. Which can't be, since the connection is unknown (INVALID, see above). The option string says: maximum segment size is 0x598 (1432), and some other bits not covered by RFC 793. All in all my conclusion is: The packet you received is valid, as part of _you_ establishing a connection (probably visiting a webpage with ads), however, for some __strange__ reason, the connection is INVALID. I have seen similar strange things with iptables/netfilter recently -- established connections just went INVALID for no apparent reason, yet they continued to be listed as ESTABLISHED in `conntrack -L`. What you can do in the short term: post the results of `iptables-save`, it might reveal some oddity I just stumbled over yesterday. In the long term, upgrading to iptables 1.3.7 (suser-jengelh) might solve the problem, the more if iptables-save shows what I think it could show.
======================================================================== Using SuSE 9.2 Professional with KDE and Mozilla Mail 1.7.13 Linux user # 229959 at http://counter.li.org ========================================================================
I'll take notice. I don't have a repo for that, so iptables 1.3.7 only for SUSE 10.2 (and most likely downwards compatible with 10.1 and older). -`J' -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Dec 31 2006 14:51, Jan Engelhardt wrote:
WINDOW=8192 RES=0x00 ACK SYN URGP=0 OPT (02 04 05 98 01 01 08 0A 08 A2 DB AD 01 97 6D 81)
This however is strange. It would mean you got a spurious SYN ACK in your connection. Which can't be, since the connection is unknown (INVALID, see above). The option string says: maximum segment size is 0x598 (1432), and some other bits not covered by RFC 793.
Well, it's not so strange. Combining "INVALID" and "SYN ACK" means the SYN ACK returned _much_ later than the Linux TCP stack expected it (a minute, hour, day, no idea what the default is) -- unless of course the below holds true where connections spuriously become INVALID. The option string, fully decoded: 0x02040598 TCP MSS: 0x598 = 1432 0x01 noop 0x01 noop 0x080A.. Lifetime of orphaned FIN-WAIT-2 state; you can find details in /usr/src/linux/net/ipv4/tcp.c line 1643 ("This is a (useful) BSD violating of the RFC.").
All in all my conclusion is: The packet you received is valid, as part of _you_ establishing a connection (probably visiting a webpage with ads), however, for some __strange__ reason, the connection is INVALID.
I have seen similar strange things with iptables/netfilter recently -- established connections just went INVALID for no apparent reason, yet they continued to be listed as ESTABLISHED in `conntrack -L`.
What you can do in the short term: post the results of `iptables-save`, it might reveal some oddity I just stumbled over yesterday. In the long term, upgrading to iptables 1.3.7 (suser-jengelh) might solve the problem, the more if iptables-save shows what I think it could show.
-`J' -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jan Engelhardt wrote:
On Dec 31 2006 14:51, Jan Engelhardt wrote an explantion of a /var/log/messages error: Tnx Jan for the comprehensive report back.
I am going to assume it is nothing to worry about. TA -- ======================================================================== Using SuSE 9.2 Professional with KDE and Mozilla Mail 1.7.13 Linux user # 229959 at http://counter.li.org ======================================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Jan 1 2007 18:40, Hylton Conacher(ZR1HPC) wrote:
Jan Engelhardt wrote:
On Dec 31 2006 14:51, Jan Engelhardt wrote an explantion of a /var/log/messages error: Tnx Jan for the comprehensive report back.
I am going to assume it is nothing to worry about.
I would worry. Because if connections just turn INVALID, websites may not load (exampling your tcp packet there). -`J' -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Hylton Conacher(ZR1HPC) -
Jan Engelhardt