Home | Community | Message Board


Myco Supply
Please support our sponsors.

General Interest >> Science and Technology

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post. Pages: 1
Invisiblesherm
sherman
 User Gallery

Registered: 10/02/03
Posts: 20,498
Loc: Euthanasia
linux system security logs, possible break in? network guru needed
    #4026277 - 04/07/05 03:01 PM (11 years, 11 months ago)

i noticed that i get strange output on my first terminal ---tty1
tty1 is logged out, there is only the user promt.
it shows up in the user login prompt
i hit enter and it does back to the login prompt
this output is also in my /var/log/kern.log

this is what shows up
i added the ***** where the mac address is

Apr 3 12:43:59 localhost kernel: ABORTED IN=eth1 OUT= MAC=**:**:**:**:**:**:**:**:**:**:**:**:**:** SRC=207.248.240.119 DST=192.168.0.4 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=1260 PROTO=TCP SPT=80 DPT=1731 SEQ=0 ACK=3327887052 WINDOW=0 RES=0x00 ACK RST URGP=0


someimes it looks like this
Apr 6 01:18:18 localhost kernel: DROPPED IN= OUT=eth1 SRC=192.168.0.4 DST=205.171.3.65 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=3237 DF PROTO=UDP SPT=1024 DPT=53 LEN=46


i did an ipwhois on the ip adresses
this is what i got


inetnum: 207.248.224/19
status: reallocated
owner: Alestra
ownerid: MX-ALES-LACNIC
responsible: Inet Administrator
address: Ave. Munich 175, Col. Cuauhtemoc, 175,
address: 66450 - San Nicolas de los Garzas - NL
country: MX
phone: +52 81 87486201 [6201]
owner-c: INA2
tech-c: INA2
created: 19980401
changed: 20040723
inetnum-up: 207.248/15

nic-hdl: INA2
person: Inet Administrator
e-mail: *********@ALESTRA.NET.MX
address: Ave. Munich, 175,
address: 66450 - San Nicolas de los Garza - NL
country: MX
phone: +52 81 87486201 [6201]
created: 20030206
changed: 20030206

---------------------------------------------------------------------------------------

OrgName: Colorado SuperNet, Inc.
OrgID: CSN
Address: 950 17th Street
Address: Suite 1900
City: Denver
StateProv: CO
PostalCode: 80202
Country: US

NetRange: 205.168.0.0 - 205.171.255.255
CIDR: 205.168.0.0/14
NetName: CSN-BLOCK-7
NetHandle: NET-205-168-0-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: DCA-ANS-01.INET.QWEST.NET
NameServer: SVL-ANS-01.INET.QWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1995-03-17
Updated: 2001-05-04

TechHandle: QN-ARIN
TechName: NOC
TechPhone: +1-703-363-3001
TechEmail: *******@qwestip.net

OrgAbuseHandle: QIA2-ARIN
OrgAbuseName: Qwest, Communications
OrgAbusePhone: +1-877-886-6515
OrgAbuseEmail: *****@qwest.net

OrgNOCHandle: QIN-ARIN
OrgNOCName: Qwest IP NOC
OrgNOCPhone: +1-877-886-6515
OrgNOCEmail: *******@qwestip.net

OrgTechHandle: QIA-ARIN
OrgTechName: Qwest IP Admin
OrgTechPhone: +1-877-886-6515
OrgTechEmail: *******@qwest.com


the first ipwhois is out of mexico
the ip is one digit off of a proxy that i have been using with firefox
207.248.240.119
the last octet is host digits correct?
the proxy i have been using is 207.248.240.118


i have no idea how the second ip could be realated to anything i have setup.

can anyone give me rundown of what is going on here?
it would be more than apreciated
thanks alot


--------------------
shroomery.
not even once.



Post Extras: Print Post  Remind Me! Notify Moderator
OfflineSeussA
Error: divide byzero

Folding@home Statistics
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 2 months, 17 days
Re: linux system security logs, possible break in? network guru needed [Re: sherm]
    #4026534 - 04/07/05 03:51 PM (11 years, 11 months ago)

> Colorado SuperNet, Inc.

Donno about your original question, but Colorado SuperNet, Inc. was bought by Qwest Communications sometime in late 97 or early 98.


--------------------
Just another spore in the wind.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisibletak
geo's henchman
Male User Gallery

Folding@home Statistics
Registered: 11/21/00
Posts: 3,758
Loc: nowhereland
Re: linux system security logs, possible break in? network guru needed [Re: Seuss]
    #4027794 - 04/07/05 08:26 PM (11 years, 11 months ago)

some logs over a certain degree of severity are also appended to /dev/console wich is where your screen is probably idling, or sometimes directly to that tty.

I have no clue what that shit means, but if i were to guess, i would just assume it was just a network error, and not worry.


--------------------
The DJ's took pills to stay awake and play for seven days.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisiblesherm
sherman
 User Gallery

Registered: 10/02/03
Posts: 20,498
Loc: Euthanasia
Re: linux system security logs, possible break in? network guru needed [Re: tak]
    #4030181 - 04/08/05 11:34 AM (11 years, 11 months ago)

i figured it out, the output was actualy being generated by my firewall

this is a droped packet headed out to 205.171.3.65
DROPPED IN= OUT=eth1 SRC=192.168.0.4 DST=205.171.3.65
im not sure why there are packets going to 205.171.3.65
i think it could be a DHCP request.
but if it was dropping the DHCP request i wouldn't here with my firewall up...............


this is a packet that was headed into my system from 207.248.240.119
ABORTED IN=eth1 OUT= MAC=**:**:**:**:**:**:**:**:**:**:**:**:**:** SRC=207.248.240.119 DST=192.168.0.4

does anyone know a little about firewall logging?
would you mind explaining this a little?

thanks again


--------------------
shroomery.
not even once.



Post Extras: Print Post  Remind Me! Notify Moderator
OfflinekronnyQ
SuperstudExtraordinaire
 User Gallery

Registered: 07/23/04
Posts: 2,488
Loc: Anytown USA
Last seen: 8 months, 8 days
Re: linux system security logs, possible break in? network guru needed [Re: sherm]
    #4031470 - 04/08/05 05:45 PM (11 years, 11 months ago)

I prefer security at the router level, a lot easier to work with.

If you have a decent router just close all your ports and view all denied attempts in your log.

Can't really go rising suspicion just from some packets in linux, all the intarweb really is is packets going back and forth.


Post Extras: Print Post  Remind Me! Notify Moderator
Offlinenife
I'm Dead
Male
Registered: 12/26/03
Posts: 225
Last seen: 3 years, 1 month
Re: linux system security logs, possible break in? network guru needed [Re: kronnyQ]
    #4052920 - 04/14/05 02:15 AM (11 years, 11 months ago)

Dropped packets are good, that means that your firewall, iptables dropped it. I have 45000 in a couple days, no big deal.

The other one I am not sure about, looks like the syn/ack packets got messed up. They are the equivilant of say hello and responding. Its not a big deal, though I would keep a little bit of a watch on it.

Kronny: if you use a d-link router then you use linux for your firewall. You just didn't know it.

Also lots of home routers are loosely based on the the iptables idea so yeah linux rocks for the firewall task


--------------------
Protect Your Rights
Freedom Card


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineMAIA
World-BridgerKartikeya (DftS)
Male User Gallery

Registered: 04/27/01
Posts: 7,275
Loc: Erra - 20 Tauri - M45 Sta...
Last seen: 9 months, 22 days
Re: linux system security logs, possible break in? network guru needed [Re: sherm]
    #4053496 - 04/14/05 06:54 AM (11 years, 11 months ago)

Quote:

Apr 3 12:43:59 localhost kernel: ABORTED IN=eth1 OUT= MAC=**:**:**:**:**:**:**:**:**:**:**:**:**:** SRC=207.248.240.119 DST=192.168.0.4 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=1260 PROTO=TCP SPT=80 DPT=1731 SEQ=0 ACK=3327887052 WINDOW=0 RES=0x00 ACK RST URGP=0




I believe this is not a problem. the external IP address 207.248.240.119 is try to connect to your port 1731 (which is a MSICCP. audio server) using its port 80, so probably that address is using a web browser and trying to connect to a audio server. If you have a dynamic ip, things like this can happen if someone has a broken DNS table or hasn't been updated.

Quote:

Apr 6 01:18:18 localhost kernel: DROPPED IN= OUT=eth1 SRC=192.168.0.4 DST=205.171.3.65 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=3237 DF PROTO=UDP SPT=1024 DPT=53 LEN=46




Check your DNS server ip address. Judging by the low port number (1024) it's probably a Microsoft server trying to connect to your port 53 (DNS). I wouldn't worry too much about it, you firewall is correctly drooping packets for that port, that's a good thing to do in ports between 1024 to 1030. Those MS guys should learn a bit more about reserved ports ...

Anyway, drooping packets is a good idea because you're invisible to anyone trying to attack you. The difference between drooping packets and blocking packets is that drooping won't send a confirmation packet back to the source address, they are simply dropped. Blocking does send a confirmation packet saying "am here but you cannot get in". Some network admins don't like firewalls setup with drop, they like to see everything .....

MAIA


--------------------
Spiritual being, living a human experience ... The Shroomery Mandala



Use, do not abuse; neither abstinence nor excess ever renders man happy.
Voltaire


Post Extras: Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

General Interest >> Science and Technology

Similar ThreadsPosterViewsRepliesLast post
* securing my wireless network Vvellum 619 4 12/14/05 06:20 AM
by Seuss
* Is it possible to install + run a bittorrent client on a linux system without having root? OJK 1,831 10 05/20/06 01:33 PM
by OJK
* Installing linux on a Thinkpad 600E - recommendations? OJK 1,460 8 02/13/06 10:30 PM
by debianlinux
* What are the benifits of linux?
( 1 2 all )
flip3084 1,337 22 03/04/09 09:16 AM
by flip3084
* Best Linux/Unix Distribution? *DELETED*
( 1 2 3 all )
T0aD 4,303 52 07/06/04 05:48 PM
by tomu
* Linux vs. M$
( 1 2 all )
drtyfrnk 2,029 26 12/28/05 02:29 PM
by Huehuecoyotl
* Linux and spyware? Aiko Aiko 701 9 01/29/06 06:16 AM
by Krishna
* Differences between freeBSD and linux?
( 1 2 all )
Colonel Kurtz Ph.D
3,578 30 05/01/07 10:52 PM
by delta9

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Lana, trendal, Diploid, automan
803 topic views. 0 members, 7 guests and 0 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]
Search this thread:
World Seed Supply
Please support our sponsors.

Copyright 1997-2017 Mind Media. Some rights reserved.

Generated in 0.06 seconds spending 0.005 seconds on 14 queries.