Michael Havens wrote: > > Do you use 'dmessage'. I tried that but after I did I got a bunch of lines > which filled the buffer that said: > > DROPPED IN= OUT=eth0 (etc) > > Which a fellow PLUGer said was my ethernet alerting the world that it was > there. > > Hey, I just thought of a way to fix it. If it is alerting the world it is > there it must do so because it isn't communicating with anything. If I were > to ping it every..... minute it probably would stop it. > > Well, upon testing the theory that has been proven to be wrong. (tested by > pinging the interface) > > Weird thing happened: right before I typed in the 'ping ' command > it gave me a > > DROPPED IN= OUT=ppp0 ... SRC=67.41.211.234 DST=67.224.21.226 <- This is ppp0s > ipaddress > > Does this indicate someone pinged me or something like that? What you are looking at is a message from the packet filter. And yes, someone tried to connect to your system from 67.41.211.234 (a qwest network). THe good stuff is in the part you omitted. Here's one from my logs to dissect: Firewalled packet:IN=eth0 OUT= MAC=00:40:f4:18:b6:88:00:d0:c0:f9:c5:9f:08:00 SRC=24.36.10.227 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=30768 DF PROTO=TCP SPT=2455 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0 This is from 24.36.10.227, which belongs to Cogeco Cable Canada Inc. CGOC-HALA5-1 (NET-24-36-0-0-2) 24.36.0.0 - 24.36.15.255 $ fwhois 24.36.10.227@whois.arin.net The DST is my IP address. I x'd it out, even though it is available in the mail headers, which is in the archives, which is publically accessable anyway. This emphasises why everyone on this list should make sure they have a good firewall in place and ensure it has been tested. TTL=104 tells me it isa Windows box. Windows uses a TTL of 128 and Unix uses a TTL of 64 (in most cases). Standard disclaimer applies: scanning tools can change default network packet characteristics to obfuscate their intentions and origin. SPT is the source port. DPT is the detination port (4899) - someone is trying to take over my Windows box: http://www1.dshield.org/port_report.php?port=4899 The packet is a SYN packet - the first one in establishing a TCP connection (which I drop into the bit bucket with extreme prejudice). If you want to see some really neat tricks, take all the source IP's from your log, awk (or cut) the IP out, sort -u, then do a reverse DNS lookup on the resulting list. I get companies probing me, company mail servers, name servers hitting me all the time. I'm quite sure the company is not doing it - their machines were compromised, so I e-mail them and let them know. -- George Toft, CISSP, MSIS AGD,LLC www.agdllc.com 623-203-1760 --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss