Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Strange log entries
  • From: Lyle Giese <lyle@xxxxxxxxxxxxxxx>
  • Date: Thu, 06 Oct 2005 09:38:33 -0500
  • Message-id: <434536E9.8080503@xxxxxxxxxxxxxxx>
I have a machine running SuSE v8.2 pro running Apache v2.0.54(installed from Apache source) and found this in the logs this morning:


Oct 5 19:38:43 linux2 kernel: TCP: Treason uncloaked! Peer 211.136.182.106:46312/80 shrinks window 3980592615:3980594075. Repaired.
Oct 5 19:38:43 linux2 kernel: klogd 1.4.1, ---------- state change ----------
Oct 5 19:38:43 linux2 kernel: Inspecting /boot/System.map-2.4.20-64GB-SMP
Oct 5 19:38:43 linux2 kernel: Loaded 21295 symbols from /boot/System.map-2.4.20-64GB-SMP.
Oct 5 19:38:43 linux2 kernel: Symbols match kernel version 2.4.20.
Oct 5 19:38:43 linux2 kernel: Loaded 1624 symbols from 31 modules.
Oct 5 19:38:44 linux2 kernel: TCP: Treason uncloaked! Peer 211.136.182.106:46312/80 shrinks window 3980592615:3980594075. Repaired.
Oct 5 19:38:46 linux2 kernel: TCP: Treason uncloaked! Peer 211.136.182.106:46312/80 shrinks window 3980592615:3980594075. Repaired.


Not sure what this means.
When I found these this morning, I went snooping on the system. rkhunter and chkrootkit show nothing unusual. I don't see anything unusual anywhere except netstat showed a bunch of connects to tcp port 22 from 218.103.185.218 in TimeWait state. They went away after I restarted NCFTPD(yes, I am using a third party ftp server) a couple of times. Not sure if these are related or if someone was trying a DoS attack on ftp.

Thanks for any insight on these two issues.
Lyle Giese
LCR Computer Services, Inc.


< Previous Next >
This Thread
Follow Ups