Firewall log with port 65535 question
Hello all,
I have a Debian / Woody firewall at home and have been getting
getting the following log reports for a few days.
-- configuration --
external interface is 206.230.232.xxx on eth1 and
internal interface is 192.168.1.1 on eth0 with my
DSL service. (I now know, this is backwards :-)
I am running up-to-date woody with snort, logcheck and portscan packages.
Also pmfirewall for my firewall.
Logcheck is finding this on eth0, my internal net, which is just 2 Win98
machines.
-- begin logcheck --
Security Violations
=-=-=-=-=-=-=-=-=-=
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=7424 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=7936 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=8448 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=8960 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=9472 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:44 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=9728 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=10240 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=10496 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=11264 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=11520 F=0x0000 T=1 O=0x00000494
(#39)
Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=11776 F=0x0000 T=1 O=0x00000494
(#39)
-- end logcheck --
I am trying to understand where the 4.0.0.3 is comming from on my eth0, and
where 227.37.32.1,2,3,4,5,6 are at, again this is all on my eth0 running
192.168.1.x networking.
I have found a referance to an old trojan called BackDoor-J using port 65535,
but I find no traces of this trojan on either Win98 box. I am using current
dat file of 4.x McAfee and have searched the registry for the following.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SystemDLL32"=SYSTEMPATCH.EXE"
Where else might these log entries be comming from on my internal net?
What should I do to try to find which Win98 box is the culprit?
Thanks,
Bill
CREAM "Dark Angel"
Reply to: