Re: Firewall log with port 65535 question

To: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: Firewall log with port 65535 question
From: Jörn Engel <joern@wohnheim.fh-wedel.de>
Date: Wed, 1 Nov 2000 11:08:08 +0100
Message-id: <[🔎] 20001101110808.A19908@wohnheim.fh-wedel.de>
In-reply-to: <973057112.39ffac586653e@whbell.ia.net>; from whbell@ia.net on Tue, Oct 31, 2000 at 11:38:32PM -0600
References: <973057112.39ffac586653e@whbell.ia.net>

Hi!

> -- configuration --
> external interface is 206.230.232.xxx on eth1 and
> internal interface is 192.168.1.1 on eth0 with my 
> [...]
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494
> (#39)
> [...]

Nice! Well, whatever does this is trying to connect from the inside to one
of six machines on the outside, none of them have a DNS-Entry.
The source address ist forged, the destinations might be other infected
machines. Since the source is forged, any reply will go to the forged
source, so that computer might also be infected.

Now what to do?
You can/should consult the whois database (at internic e.g.) and inform the
owner of those IPs - just a courtesy.
You can/should also remove the cause from your machine(s) - in the case of
windows, a new installation is the easiest method to do this.

-- 
Jörn Engel
mailto: joern@wohnheim.fh-wedel.de
http://wohnheim.fh-wedel.de/~joern

Reply to:

Next by Date: Re: Firewall log with port 65535 question
Next by thread: Re: Firewall log with port 65535 question
Index(es):
- Date
- Thread