Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] What are these?
I AM using SuSEFirewal 4.2 on SuSE 6.4
I ran the install... and configured it using YaST. Is there a better way?
While we're on the subject, YaST appears to have some problems displaying
text and descriptions.

I even ran ipchains with these arguments:
/sbin/ipchains -A input -p TCP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
/sbin/ipchains -A input -p UDP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
/sbin/ipchains -A input -p ICMP -d 0.0.0.0./0 0:65535 -i ppp0 -l -j DENY
but apparently these scans are accepted before the new lines. I figured that
those lines would break something for sure.

What is the syntax to redirect a port-- like 80 to squid's incoming port?

----- Original Message -----
From: "Boris Lorenz" <bolo@xxxxxxx>
To: "Kevin Creason" <dmc4687@xxxxxxxxxxxxxx>
Cc: "SuSE Security Mailingliste" <suse-security@xxxxxxxx>
Sent: Monday, February 12, 2001 5:37 AM
Subject: RE: [suse-security] What are these?


>
> On 11-Feb-01 Kevin Creason wrote:
> > I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently
using or
> > listening on those ports.
> >
> > Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> > 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44
SYN
> > (#51)
> > Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> > 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44
SYN
> > (#51)
> > Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> > 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44
SYN
> > (#51)
> >
> >
> > What does it mean that the firewall accepted a syn packet
> > HSE-Kitchener-ppp233156.sympatico.ca?
> > And is the L or the T signify the protocol line? Anyway-- does this
> > correspond to this: (/etc/protocols)
> > ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
> >
> > And since I'm not running IPv6, what is the scanner attempting to do me?
I've
> > seen this network on my box before. Are they a known bunch of id10t's?
>
> Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven
> Apocalypse and Tiles. Refer to www.simovits.com for a list of well known
> trojans and their preferred ports.
>
> As these are windows trojans your nodes may not be affected if they all
run
> Linux/Unix, but you would be better off closing these and other ports by
> implementing decent firewalling, say via the SuSE firewall or some other
> useable scripts.
>
> ---
> Boris Lorenz <bolo@xxxxxxx>
> System Security Admin *nix - *nux
> ---


< Previous Next >
References