May this be an hacker attack?
From: Wizard (wizard@fakeaddress.com)Date: 06/19/02
- Next message: Alan Guy: "Re: Outpost not allowing MS Windowsupdate?"
- Previous message: Myuu: "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
- Next in thread: Lars M. Hansen: "Re: May this be an hacker attack?"
- Reply: Lars M. Hansen: "Re: May this be an hacker attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Wizard" <wizard@fakeaddress.com> Date: Wed, 19 Jun 2002 01:37:47 +0200
Hi everybody.
My linux firewall logged two times a port scaning from a private network IP
like 172.16.x.x. What I know is that that address shouldn't be used in a
public network.
Here is an extract from the firewall's log file:
Jun 1 02:21:06 firewall kernel: from_pub: IN=eth0 OUT=
MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my public
IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=4473 DF PROTO=TCP SPT=119
DPT=1363 WINDOW=8760 RES=0x00 ACK PSH URGP=0
... message repeated 6 times
Jun 1 02:25:37 firewall kernel: from_pub: IN=eth0 OUT=
MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my public
IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=48232 DF PROTO=TCP SPT=119
DPT=1363 WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0
again:
Jun 18 13:02:31 firewall kernel: from_pub: IN=eth0 OUT=
MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my public
IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=61211 DF PROTO=TCP SPT=119
DPT=1057 WINDOW=8760 RES=0x00 ACK PSH URGP=0
... message repeated 6 times
Jun 18 13:07:00 firewall kernel: from_pub: IN=eth0 OUT=
MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my public
IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=2641 DF PROTO=TCP SPT=119
DPT=1057 WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0
I verified my linux box and didn't find trojan-like processes, nor opened
ports or connections. I think my box is safe.
My internal network uses IP like 192.168.x.x, I'm the only user in this
site, so I can exclude internal attacks.
With tracepath i can hop the first public node, but the second filters my
traffic.
Here's what I suppose: my provider misconfigured the node where I'm
connected, passing through illegal traffic but the
second node filters correctly. Someone connected to my same node noticed the
bug and plays at the hacker, scanning
through the unfiltered node.
Someone has an idea of what's going on? Am I arguing in the right way?
Thanks everybody for your suggestions.
Wizard
- Next message: Alan Guy: "Re: Outpost not allowing MS Windowsupdate?"
- Previous message: Myuu: "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
- Next in thread: Lars M. Hansen: "Re: May this be an hacker attack?"
- Reply: Lars M. Hansen: "Re: May this be an hacker attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
