Re: Curious messages
From: Paul Nixon (pnixon18@cox.net)
Date: 01/28/03
- Next message: dragon: "About DNS"
- Previous message: Marek Zawadzki: "Re: IP fragments in 2.4.18 (firewall question)"
- In reply to: Vlad Tsyrklevich: "Re: Curious messages"
- Next in thread: Alessandro Selli: "Re: Curious messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul Nixon" <pnixon18@cox.net> Date: Tue, 28 Jan 2003 15:13:26 GMT
Vlad Tsyrklevich <root@127.0.0.1> wrote in message
news:pan.2003.01.28.05.44.29.923336.4277@127.0.0.1...
> On Mon, 27 Jan 2003 20:22:28 -0800, Paul Nixon wrote:
>
> > Hi folks,
>
> Hey.
>
> > I have a Mandrake 7.2 system and I've noticed some curious messages in
> > the logs lately of the form:
>
> 7.2? Do you mean 8.2?
Hello. No, I mean 7.2. This system has been in operation for quite a long
time now, and it's only been the past month (January 13th actually) that
these messages started. There are not many of them (13, 15, 17, 18, 21, 26,
27, and 28th of Jan).
>
> > Oct 21 04:03:55 Trickyd : - Opened ports : udp 0 0
> > 192.168.0.1:netbios-dgm *:* 1079/nmbd
> > Oct 21 04:03:55 Trickyd : - Opened ports : udp 0 0
> > 192.168.0.1:netbios-ns *:* 1079/nmbd
> [snip other entries]
>
> Strange, those ports are unassigned as far as I know (yes I checked a port
> listing =)), sounds like a trojan/root shell/etc. listening on the ports,
> would run a sniffer and see the traffic that it gets.
Trojan/root shell was my thought, but I have checked the system for such and
found nothing.
>
> Lets analyze this entry:
>
> > Jan 26 10:51:46
> Date and time :-)
> > Trickyd kernel:
> No idea, sounds like Tricked kernel but google didn't turn up anything :/
Trickyd is my host name.
> > Packet log: output DENY eth0 PROTO=6 68.104.142.250:61776
> > 192.168.0.1:139
> Sounds like it's set to deny messages packets over your LAN (protocol:
> TCP/IP) and blocking 68.104.142.250 on port 61776 from accessing your
> 192.168.0.1 (guessing your gateway)s NetBios port.
68.104.142.50 is an unknown external ip. This morning I am able to ping that
address, but traceroute only gets as far as my ISP (hmm, possible hint).
192.168.0.1 does not exist on my network. There was an entry in my smb.conf
that listed 192.168.0.1 as a valid interface, but that was from some testing
a long time ago.
> > L=48 S=0x00 I=53876 F=0x4000 T=126 SYN (#5)
> These I don't know other then SYN which is connect. F could mean fragment?
>
> [snip other messages]
>
> > The output deny messages start Jan 13 and happen again on the 15, 17,
> > 18, 21, and 26th of January.
> Is there anything special you were running on these days?
> > I have Samba running on this system, and checking the smb.conf file I
> > see that 192.168.0.1 was active as a valid interface, though no such
> > interface is physically present in the system. I did some mucking around
> > with virtual interfaces some time ago and probably left the entry, as
> > near as I can think of.
>
> Have you used Samba before and not gotten this? It sounds like Samba
> because it's trying to access NetBIOS (port 139). Trying using it and see
> if you get this message.
I've been using Samba on this system for years without getting this. These
messages started January 13th of this year.
>
> > I'd appreciate some input on the messages. Thanks
>
> Did my best, hope they help. :-)
Thanks Vlad. Sometimes just talking it out reveals the solution. I've been
trying to think of what might have changed around January 13th. but so far
nothing comes to mind.
Paul
- Next message: dragon: "About DNS"
- Previous message: Marek Zawadzki: "Re: IP fragments in 2.4.18 (firewall question)"
- In reply to: Vlad Tsyrklevich: "Re: Curious messages"
- Next in thread: Alessandro Selli: "Re: Curious messages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
