Re: May this be an hacker attack?
From: russandsandy (russandsandy@no.slimey.spammers.attbi.noteven.com)Date: 06/19/02
- Next message: M.L.: "Re: Outpost not allowing MS Windowsupdate?"
- Previous message: Roo: "Re: Does ZA 3.0 stop any sites opening????"
- In reply to: Wizard: "May this be an hacker attack?"
- Next in thread: Wizard: "Re: May this be an hacker attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "russandsandy" <russandsandy@no.slimey.spammers.attbi.noteven.com> Date: Wed, 19 Jun 2002 05:03:16 GMT
I get crap like this from an ISP (covad), go figure.
RT
"Wizard" <wizard@fakeaddress.com> wrote in message
news:aeog8s$2qn$1@fe2.cs.interbusiness.it...
> Hi everybody.
>
> My linux firewall logged two times a port scaning from a private network
IP
> like 172.16.x.x. What I know is that that address shouldn't be used in a
> public network.
> Here is an extract from the firewall's log file:
> Jun 1 02:21:06 firewall kernel: from_pub: IN=eth0 OUT=
> MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my
public
> IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=4473 DF PROTO=TCP SPT=119
> DPT=1363 WINDOW=8760 RES=0x00 ACK PSH URGP=0
> ... message repeated 6 times
> Jun 1 02:25:37 firewall kernel: from_pub: IN=eth0 OUT=
> MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my
public
> IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=48232 DF PROTO=TCP SPT=119
> DPT=1363 WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0
> again:
> Jun 18 13:02:31 firewall kernel: from_pub: IN=eth0 OUT=
> MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my
public
> IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=61211 DF PROTO=TCP SPT=119
> DPT=1057 WINDOW=8760 RES=0x00 ACK PSH URGP=0
> ... message repeated 6 times
> Jun 18 13:07:00 firewall kernel: from_pub: IN=eth0 OUT=
> MAC=00:40:c7:95:6c:fa:00:01:c9:2e:f4:54:08:00 SRC=172.16.3.4 DST=<my
public
> IP> LEN=92 TOS=0x00 PREC=0x00 TTL=244 ID=2641 DF PROTO=TCP SPT=119
> DPT=1057 WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0
>
> I verified my linux box and didn't find trojan-like processes, nor opened
> ports or connections. I think my box is safe.
> My internal network uses IP like 192.168.x.x, I'm the only user in this
> site, so I can exclude internal attacks.
> With tracepath i can hop the first public node, but the second filters my
> traffic.
> Here's what I suppose: my provider misconfigured the node where I'm
> connected, passing through illegal traffic but the
> second node filters correctly. Someone connected to my same node noticed
the
> bug and plays at the hacker, scanning
> through the unfiltered node.
> Someone has an idea of what's going on? Am I arguing in the right way?
>
> Thanks everybody for your suggestions.
>
> Wizard
>
>
>
- Next message: M.L.: "Re: Outpost not allowing MS Windowsupdate?"
- Previous message: Roo: "Re: Does ZA 3.0 stop any sites opening????"
- In reply to: Wizard: "May this be an hacker attack?"
- Next in thread: Wizard: "Re: May this be an hacker attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
