Firewall log with port 65535 question

To: debian-firewall <debian-firewall@lists.debian.org>, pmfirewall <pmfirewall@pointman.org>
Subject: Firewall log with port 65535 question
From: Bill Bell <whbell@ia.net>
Date: Tue, 31 Oct 2000 23:38:32 -0600 (CST)
Message-id: <[🔎] 973057112.39ffac586653e@whbell.ia.net>

Hello all,

I have a Debian / Woody firewall at home and have been getting
getting the following log reports for a few days.

-- configuration --
external interface is 206.230.232.xxx on eth1 and
internal interface is 192.168.1.1 on eth0 with my 
DSL service. (I now know, this is backwards :-)

I am running up-to-date woody with snort, logcheck and portscan packages. 
Also pmfirewall for my firewall.

Logcheck is finding this on eth0, my internal net, which is just 2 Win98 
machines.

-- begin logcheck --

Security Violations
=-=-=-=-=-=-=-=-=-=
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=7424 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=7936 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=8448 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=8960 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=9472 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:44 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=9728 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=10240 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=10496 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=11264 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=11520 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=11776 F=0x0000 T=1 O=0x00000494
(#39)

-- end logcheck --

I am trying to understand where the 4.0.0.3 is comming from on my eth0, and 
where 227.37.32.1,2,3,4,5,6 are at, again this is all on my eth0 running
192.168.1.x networking.

I have found a referance to an old trojan called BackDoor-J using port 65535, 
but I find no traces of this trojan on either Win98 box. I am using current 
dat file of 4.x McAfee and have searched the registry for the following.

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
"SystemDLL32"=SYSTEMPATCH.EXE"

Where else might these log entries be comming from on my internal net?

What should I do to try to find which Win98 box is the culprit?


Thanks,
Bill
CREAM  "Dark Angel"

Reply to:

Prev by Date: Re: mrtg & cisco
Previous by thread: Re: mrtg & cisco
Index(es):
- Date
- Thread