[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP fw-in deny eth0 UDP

>> > Oct  6 23:17:50 www kernel: IP fw-in deny eth0 UDP
>> > L=80 S=0x00 I=14054 F=0x0000 T=128
>> Is there DHCP knocking around?  Believe broadcasts
>> used by it.

This is NOT DHCP.
Maybe some attacker, indeed.

> 1) the loopback address is used (before, it was various class C
> IPs)

say: the Source Adress of should never be allowed to come from eth0 should come from Loopback only.

> 2) the ports are 4412 and 47624 (before, they were the BOOTP ports 67 and
> 68)

that's correct. Bootp/dhcp messages all come from these ports and go to these

> 3) the port 4412 is actually incremented, up to 4460, like in a scan
> (before, only the first, class C, IP address changed -- the ports stayed the
> same)

The source port is usually assigned dynamically.
So if it's inkrementing, it's just some process retrying to connect.
He get's assigned the next free port and the number thus inkrements.
as there are usually no services running in this area this inkrements often are
only 1. They do not need to.

So my conclusion is:

It's a message from a forged ip address (or a seriously mißconfigured system)
broadcasting to port 47624

Broadcasts should usually be only intra-net.
Broadcasts from outside ("directed broadcasts") should be blocked by your
internet router. (to prevent abuse of your network for smurf'ing etc.)
Check if this broadcast could come from outside or if it has to come from
inside your network.

I know about no windows trojan running on this port. (German speaking users
might want to have a look at http://www.trojaner-info.de/)

But most trojans could be configured to run on any port you want.
Check the other computers in your network, too!

if you happen to be on the machine when such a broadcast comes, try to watch
for unsual traffic in your network with tcpdump (for example packets not coming
to/from port 80 and not intra-network)

Gruß,  Erich

Reply to: