Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
compromised?
  • From: "Achim Ehrlich" <achim@xxxxxxxxxx>
  • Date: Thu, 8 Feb 2001 21:16:41 +0100
  • Message-id: <000701c0920c$0c885ce0$0301a8c0@xxxxxxxxxxxxxxx>
Hello list,

i'm running a little homenetwork and scan my messages only occasionally.
Today i found, that my var/log/messages was flodded with the following
messages from
ipchains:

Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107
SYN(#3)
Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237
SYN(#3)
Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
168.95.0.11:56795 213.23.38.146:6346 L=44 S=0x00 I=9 F=0x4000 T=236 SYN (#3)
Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
24.176.200.234:4734 213.23.38.146:6346 L=48 S=0x00 I=53948 F=0x4000 T=112
SYN (#3)
Jan 24 00:01:00 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
64.234.42.72:61344 213.23.38.146:6346 L=48 S=0x00 I=26187 F=0x4000 T=110 SYN
(#3)
Jan 24 00:01:00 coalmine kernel: Packet log: input DENY ppp0 PROTO=6
64.79.80.43:2276 213.23.38.146:6346 L=44 S=0xD8 I=56969 F=0x4000 T=109
SYN(#3)

This went on for hours. Afterwards there were similar messages, the access
port varying, but 6346 and 27374 being the most often used ones. It was not
this long anymore, though. I looked up the ports in /etc/services but found
no service attached to them. Sometimes it was also followed up by a try to
access my box on port 22 or 80 by one of the adresses (denied also). I also
ran netstat -apln, the only entries i couldn't explain were:

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
120/
tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN
61/

I'm quite worried about all these because although my firewall denies all
these packages, there seems to be a programm running, which broadcasts my
dynamic ip-address, when connected to the internet. This makes me feel quite
uncomfortable.
I also added two new rules now to my firewall script, rejecting outgoing
requests to port 6346 and 27374 to be able to trace this matter further.
Until now nothing showed up.
I have only a basic understanding of all these things, so please can
somebody tell me if this is now a compromise or am i paranoid?
Is it also possible, that it is not the linux-server but a client which is
compromised? Would be a apple box in this case.
It's a suse 6.4 box with firewalling/masquerading. The firwall script is my
own (at least partially).
thx for any help

achim






< Previous Next >
Follow Ups