Sylog Error Messages

To: debian-user@lists.debian.org
Subject: Sylog Error Messages
From: "debian parisc" <debianparisc@hotmail.com>
Date: Thu, 06 Feb 2003 17:26:22 +0000
Message-id: <[🔎] F11BNMCtpa9NhZXNRYD0000ff0a@hotmail.com>

Friends,

I'm running stable and I have portsentry, firestarter, chkrootkit andlogcheck installed on my machine. Whilst checking my logs I see loads ofthese entries:-

Feb 6 15:05:10 kingston kernel: IN=eth0 OUT= MAC= SRC=100.100.100.100DST=100.100.100.255 LEN=273 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDPSPT=138 DPT=138 LEN=253

as you can see i've changed the ip addresses (to protect the innocent) theinteresting thing is that the SRC address is my ip and the DST appears to bea broadcast address .255 (is that right?). what is it that my machine wantsto broadcast to the network. Also I find loads of these:-

Feb 6 15:30:15 kingston kernel: IN=eth0 OUT=MAC=00:40:7b:6e:61:3b:00:30:94:9c:aa:a8:08:00 SRC=193.38.113.34 DST=<MY IPP>LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=52382 DF PROTO=TCP SPT=43030 DPT=25WINDOW=5840 RES=0x00 SYN URGP=0

How do I interpret this? I believe it is the usual dipstick (idiot) of aportscanner. what do the last few fields mean (window, res, syn urgp)?

Have I been Bill Clinton'd (compromised)?

I've run chkrootkit and it says everything is ok. I have googled and foundsimiliar information but they were against ports 137/138 which is netbios(IIRC). Your guidance is greatfully received.


regards

Leo






_________________________________________________________________

Use MSN Messenger to send music and pics to your friendshttp://messenger.msn.co.uk

Reply to:

Follow-Ups:
- Re: Sylog Error Messages
  - From: Mike Dresser <mdresser_l@windsormachine.com>

Prev by Date: Re: please help on adsl sharing
Next by Date: RE: debian on compaq proliant 800 server
Previous by thread: debian on compaq proliant 800 server
Next by thread: Re: Sylog Error Messages
Index(es):
- Date
- Thread