On Tuesday 07 November 2006 11:35, pelibali wrote:
Hi,
I got recently two "interesting" attacks (=not standard M$-kiddies / worms) and would be glad if someone would take the time to explain me what wanted to happen there (145.236.x.x are the dynamic addresses of a freenet provider; of course I don't use any 192.168.1.x-type internal addresses and have no 210.6.33.94 as gateway):
Oct 12 21:53:40 moorczy kernel: SuSE-FW-DROP-ICMP-CRIT IN=ppp0 SRC=210.6.34.56 DST=145.236.115.203 LEN=56 TOS=0x00 PREC=0x00 TTL=42 ID=15399 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=210.6.33.94 [ SRC=145.236.115.203 DST=210.6.33.94 LEN=46 TOS=0x00 PREC=0x00 TTL=40 ID=63342 DF PROTO=UDP SPT=1029 DPT=23792 LEN=26 ]
You will get these all day long. Its either some windows machine plugged directly into the net (horrors) looking for a mate, or messenger spam. Starts at 1029 and runs upward from there. Plug a windows machine into the net and one of these is sure to pop up within minutes, saying Click here to improve internet security. ICQ can also use that port.
Oct 13 13:26:52 moorczy kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=192.168.1.10 DST=145.236.212.120 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15580 DF PROTO=TCP SPT=1270 DPT=139 WINDOWS=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
That one above looks like what happens when Joe Sixpack plugs is router into his internet connection with the ports reversed. Its got 192.169 on the outside (toward the net) and its looking for windows machines. -- _____________________________________ John Andersen