Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] compromised?
  • From: dproc@xxxxxxx
  • Date: Thu, 8 Feb 2001 22:57:17 -0500
  • Message-id: <20010208225717.C7841@xxxxxxxxxxxxxxx>
On Thu, 08 Feb 2001, Achim Ehrlich wrote:

> Hello list,
>
> i'm running a little homenetwork and scan my messages only occasionally.
> Today i found, that my var/log/messages was flodded with the following
> messages from
> ipchains:
>
> Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107
> SYN(#3)
> Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
> 168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237
> SYN(#3)

Is some unsupervised kid with an 'security tool'
syn-flooding him with spoofed source addresses? It seems
his box is easily withstanding this, until his log fills the
disk.

> access my box on port 22 or 80 by one of the adresses (denied also). I also
> ran netstat -apln, the only entries i couldn't explain were:
>
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> 120/
> tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN
> 61/

Run
lsof -i



< Previous Next >
Follow Ups
References