On 08-Feb-01 Achim Ehrlich wrote:
Hello list,
i'm running a little homenetwork and scan my messages only occasionally. Today i found, that my var/log/messages was flodded with the following messages from ipchains:
Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107 SYN(#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237 SYN(#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 168.95.0.11:56795 213.23.38.146:6346 L=44 S=0x00 I=9 F=0x4000 T=236 SYN (#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 24.176.200.234:4734 213.23.38.146:6346 L=48 S=0x00 I=53948 F=0x4000 T=112 SYN (#3) [...] This went on for hours. Afterwards there were similar messages, the access port varying, but 6346 and 27374 being the most often used ones. It was not this long anymore, though. I looked up the ports in /etc/services but found no service attached to them. Sometimes it was also followed up by a try to access my box on port 22 or 80 by one of the adresses (denied also). I also ran netstat -apln, the only entries i couldn't explain were:
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 120/ tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN 61/
The connection attempts were made to your dynamic ip assigned to you by your ISP on port 6346, which is gnutella-svc. Maybe you used gnutella to upload or download files. The connection attempts (coming from an ip range assigned to Chungwha Telecom, Taipei, Taiwan) may have been caused by an user of this network desperately trying to download a file you offered shareable via gnutella. On the other hand, port 27374 is used by a trojan called SubSeven, a malware for Win. If the scans to either 6346 and 27374 come from the same IP addresses the person on the other end maybe is up to finding some vulnerable Windows boxes to take over. If these scans go on, do a whois on the particular IP(s) and try to get in touch with the provider. Most of them do have some sort of security/acceptable use policy which forbids such actions. At least, give it a try...
I'm quite worried about all these because although my firewall denies all these packages, there seems to be a programm running, which broadcasts my dynamic ip-address, when connected to the internet. This makes me feel quite uncomfortable. I also added two new rules now to my firewall script, rejecting outgoing requests to port 6346 and 27374 to be able to trace this matter further. Until now nothing showed up.
As shown from your log file excerpts the connection attempts to both ports were made FROM the net TO your home system. IMO a logging rule for outgoing connection attempts may be obsolete.
I have only a basic understanding of all these things, so please can somebody tell me if this is now a compromise or am i paranoid? Is it also possible, that it is not the linux-server but a client which is compromised? Would be a apple box in this case. It's a suse 6.4 box with firewalling/masquerading. The firwall script is my own (at least partially). thx for any help
achim
---
Boris Lorenz