Linux Security Problem

---

• From: "Ed.Austin" <root@xxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 10 Jan 2006 10:36:36 +0300

---

Hi

I am running my laptop - an Acer Ferrari 3400 with Kernel 2.6.xx (various).

I use both at home and work (home via a cable router, work via a PIX
firewall).

I seem to be getting pings as follows (/var/log/messages)

Jan 10 09:53:49 ferrari kernel: ICMP_BLOCKIN=eth0 OUT= MAC=00:04:76:48:92:aa:00:0e:83:3e:f4:ae:08:00 SRC=83.28.34.238 DST=192.168.0.43 LEN=56 TOS=0x00 PREC=0x00 TTL=52 ID=26132 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.43 DST=83.28.34.238 LEN=101 TOS=0x00 PREC=0x00 TTL=44 ID=36109 FRAG:64 PROTO=UDP ]
Jan 10 09:54:59 ferrari kernel: ICMP_BLOCKIN=eth0 OUT= MAC=00:04:76:48:92:aa:00:0e:83:3e:f4:ae:08:00 SRC=24.141.72.182 DST=192.168.0.43 LEN=56 TOS=0x00 PREC=0x00 TTL=46 ID=7423 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.43 DST=192.168.0.102 LEN=101 TOS=0x00 PREC=0x00 TTL=43 ID=3477 DF PROTO=UDP SPT=22467 DPT=18387 LEN=81 ]
Jan 10 09:56:00 ferrari kernel: ICMP_BLOCKIN=eth0 OUT= MAC=00:04:76:48:92:aa:00:0e:83:3e:f4:ae:08:00 SRC=24.141.72.182 DST=192.168.0.43 LEN=56 TOS=0x00 PREC=0x00 TTL=46 ID=9353 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.43 DST=192.168.0.102 LEN=101 TOS=0x00 PREC=0x00 TTL=43 ID=3484 DF PROTO=UDP SPT=22467 DPT=18387 LEN=81 ]
Jan 10 10:00:40 ferrari kernel: ICMP_BLOCKIN=eth0 OUT= MAC=00:04:76:48:92:aa:00:0e:83:3e:f4:ae:08:00 SRC=83.28.34.238 DST=192.168.0.43 LEN=56 TOS=0x00 PREC=0x00 TTL=52 ID=26590 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.43 DST=83.28.34.238 LEN=101 TOS=0x00 PREC=0x00 TTL=44 ID=54797 FRAG:64 PROTO=UDP ]

Mostly from 83.28.34.238 whether I'm at home or work (even though my IP
address changes between the two locations!!!)

What worries me is the guy is able to ping through the NAT of both my DSL
and PIX Firewall....

I am not running ANY services except occasionally CUPS (but not often) -
not running sshd, telnet, ftp, www or anything.

The only thing I suspect is my (continuously) running Limewire client is
exposing me somehow.

Any attempts to nmap my host result in the scanner receiving a "host seems
down" but this guy seems persistent!!!!

An nmap of 83.28.34.238 shows a lot of services up (some sort of server
running).

How is this guy getting my address and what could be the motives?

Thanks.



.

---

• Follow-Ups:
  • Re: Linux Security Problem
    • From: Todd Knarr

• Prev by Date: GPA on Fedora Core 4 system
• Next by Date: Re: Linux Security Problem
• Previous by thread: GPA on Fedora Core 4 system
• Next by thread: Re: Linux Security Problem
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: ICMP (Ping) ... pings might be a good idea... ... Yes, nmap. ... If it cannot ping the host, ... scanner that then exploits said vulnerability? ... (Security-Basics) RE: ICMP (Ping) ... I'll provide one example for why blocking ... pings might be a good idea... ... Yes, nmap. ... If it cannot ping the host, ... (Security-Basics) RE: NMapWin v1.3.1 ... -P0 - in case host in not responding to pings ... This info can all be found just by running the nmap command. ... (Security-Basics) Re: PIX 501 VPN - I can ping but cant map a drive ... packets between the one inside host 192.168.0.250 and the "outside" ... was not coming in via VPN. ... the inside_outbound_nat0_acl ACL, ... >I'm trying to set up a VPN connection from a PC outside the PIX 501 into ... (comp.dcom.sys.cisco) Re: IPsec performance just 55% of WAN bandwidth ... It looks like pings with a payload larger than 1418 bytes are ... I do not know why 1000 exactly, and PIX offers no way to ... SHA-1 is used for the authentication, ... Are the pings going inside the tunnel or outside the tunnel? ... (comp.security.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.unix  > 2006-01