Michael Havens wrote:
>
> Do you use 'dmessage'. I tried that but after I did I got a bunch of lines
> which filled the buffer that said:
>
> DROPPED IN= OUT=eth0 (etc)
>
> Which a fellow PLUGer said was my ethernet alerting the world that it was
> there.
>
> Hey, I just thought of a way to fix it. If it is alerting the world it is
> there it must do so because it isn't communicating with anything. If I were
> to ping it every..... minute<?> it probably would stop it.
>
> Well, upon testing the theory that has been proven to be wrong. (tested by
> pinging the interface)
>
> Weird thing happened: right before I typed in the 'ping <interface>' command
> it gave me a
>
> DROPPED IN= OUT=ppp0 ... SRC=67.41.211.234 DST=67.224.21.226 <- This is ppp0s
> ipaddress
>
> Does this indicate someone pinged me or something like that?
What you are looking at is a message from the packet filter. And yes,
someone tried to connect to your system from 67.41.211.234 (a qwest
network). THe good stuff is in the part you omitted. Here's one from
my logs to dissect:
Firewalled packet:IN=eth0 OUT=
MAC=00:40:f4:18:b6:88:00:d0:c0:f9:c5:9f:08:00
SRC=24.36.10.227 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=104
ID=30768 DF PROTO=TCP SPT=2455 DPT=4899 WINDOW=64240 RES=0x00 SYN URGP=0
This is from 24.36.10.227, which belongs to Cogeco Cable Canada Inc.
CGOC-HALA5-1 (NET-24-36-0-0-2) 24.36.0.0 - 24.36.15.255
$ fwhois
24.36.10.227@whois.arin.net
The DST is my IP address. I x'd it out, even though it is available in
the mail headers, which is in the archives, which is publically
accessable anyway. This emphasises why everyone on this list should
make sure they have a good firewall in place and ensure it has been tested.
TTL=104 tells me it isa Windows box. Windows uses a TTL of 128 and Unix
uses a TTL of 64 (in most cases). Standard disclaimer applies: scanning
tools can change default network packet characteristics to obfuscate
their intentions and origin.
SPT is the source port. DPT is the detination port (4899) - someone is
trying to take over my Windows box:
http://www1.dshield.org/port_report.php?port=4899
The packet is a SYN packet - the first one in establishing a TCP
connection (which I drop into the bit bucket with extreme prejudice).
If you want to see some really neat tricks, take all the source IP's
from your log, awk (or cut) the IP out, sort -u, then do a reverse DNS
lookup on the resulting list. I get companies probing me, company mail
servers, name servers hitting me all the time. I'm quite sure the
company is not doing it - their machines were compromised, so I e-mail
them and let them know.
--
George Toft, CISSP, MSIS
AGD,LLC
www.agdllc.com
623-203-1760
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss