Hello Christian, I've just read a story on The Register about the mutating nature of the Lion worm (http://www.theregister.co.uk/content/8/17929.html). Reading the following quote from the article and remembering your posting did indeed ring some bells: "The new Lion worm sets up an HTTP server on port 27374 and erects a page bearing greetz from the Lion crew" So your log entries possibly are a Lion attack signature? I wonder ... Regards, Martin On Wednesday 28 March 2001 12:11, Christian Gorski wrote:
hallo friends of linux
does anybody know what i´ve got here, where X.X.X.1 is the box which logs these messages?
1)
Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=59472 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=60496 F=0x4000 T=111 SYN (#42) Mar 27 19:46:38 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=337 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=3921 F=0x4000 T=111 SYN (#42) Mar 27 19:46:39 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4590 X.X.X.255:27374 L=48 S=0x00 I=6993 F=0x4000 T=111 SYN (#42) Mar 27 19:46:41 linux kernel: Packet log: input DENY eth0 PROTO=6 212.94.211.160:4586 X.X.X.1:27374 L=48 S=0x00 I=18257 F=0x4000 T=111 SYN (#42) ... snip ...
-- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de