Very Computer

Quote:>I saw the following in my logs.  Can someone tell me what they
>mean?  What is going on?  It looks like someone tried to enter my
>ftp port, but my firewall kept them away.

As you may note, BellSouth.net is also my ISP, and around 1:00am Monday
morning, they hit me too. It appears to be a poorly configured Linux
box.

My guess is that this computer has been cracked and is now used by the
cracker to launch more scans/attacks.

[SNIP]

Quote:>Oct 11 01:44:01 gateway kernel: Packet log: input DENY eth1
>PROTO=1 24.1.69.99:0 xxx.xxx.xxx.xxx:0 L=84 S=0x00 I=42757
>F=0x0000 T=50 (#3)  

That's in the EST time zone (GMT -0500).

Anton

--

Silence is wise if we are foolish, but foolish if we are wise.

My LAN has an internal network of 192.168.1.0/24, and there is
one card on another machine of my network at 192.168.0.100, but
it is connected to another switch.  From my tcpdump session, I
saw that there was a lot of network traffic from the network of
192.168.0.0/24, but not from my 192.168.0.100.  What would cause
this traffic?  There are a lot of
arp who-has 192.168.0.1 (Broadcast) tell 192.168.0.4

It appears someone is trying to use a hobbyist address to break
into my system from the outside and appear as if they are a host
from the inside.  Does anyone know about this?

Thanks.

--
J. J. Horner (REMOVE NOSPAM before replying)

System has been up
  9:15am  up 4 days, 17:13,  1 user,  load average: 0.06, 0.03,
0.00

/sbin/ipchains -A input -i eth0 -s ! 192.168.5.0/24 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 192.168.5.0/24 -j DENY -l
/sbin/ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY -l

eth0 is an internal and eth1 is the outside world connection.  You might
add the 192.1.0 series too.

--
UNIX - Not just for vestal *s anymore
Linux - Choice of a GNU generation

Quote:>Yes, it's a pretty good way to spoof for internal networks considering
>people generally tend to allow anything coming from one of the internal
>network.  Try these (and alter to suit)
>/sbin/ipchains -A input -i eth0 -s ! 192.168.5.0/24 -j DENY -l
>/sbin/ipchains -A input -i eth1 -s 192.168.5.0/24 -j DENY -l
>/sbin/ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY -l

My first two ipchains lines read:

ipchains -A input -i ! eth1 -j ACCEPT

... which I think pretty much covers the cases above (then I go do the rest
of my filtering).

        -Kenny

--
Kenneth R. Crudup   Sr. SW Engineer, Scott County Consulting, Washington, D.C.
Home1: 8051 Newell St. #914     Silver Spring, MD 20910-0914    (301) 562-1922
Home2: 38010 Village Cmn. #217  Fremont, CA 94536-7525          (510) 745-8181
Work:  19420 Homestead Road     Cupertino, CA 95014-0606        (408) 447-6654