Re: Firewall log with port 65535 question

To: Bill Bell <whbell@ia.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: Firewall log with port 65535 question
From: Michael Wood <wood@kingsley.co.za>
Date: Wed, 1 Nov 2000 14:39:20 +0200
Message-id: <[🔎] 20001101143919.D9699@lion.kingsley.co.za>
In-reply-to: <973057112.39ffac586653e@whbell.ia.net>; from whbell@ia.net on Tue, Oct 31, 2000 at 11:38:32PM -0600
References: <973057112.39ffac586653e@whbell.ia.net>

Hi

On Tue, Oct 31, 2000 at 11:38:32PM -0600, Bill Bell wrote:
> Hello all,
> 
> I have a Debian / Woody firewall at home and have been getting
> getting the following log reports for a few days.
> 
> -- configuration --
> external interface is 206.230.232.xxx on eth1 and
> internal interface is 192.168.1.1 on eth0 with my 
> DSL service. (I now know, this is backwards :-)

It does not matter which interface you use for which network.

> I am running up-to-date woody with snort, logcheck and
> portscan packages.  Also pmfirewall for my firewall.
> 
> Logcheck is finding this on eth0, my internal net, which is
> just 2 Win98 machines.
> 
> -- begin logcheck --
> 
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494
> (#39)
[snip]
> 
> -- end logcheck --
> 
> I am trying to understand where the 4.0.0.3 is comming from on
> my eth0, and where 227.37.32.1,2,3,4,5,6 are at, again this is
> all on my eth0 running 192.168.1.x networking.

As has already been noted, the 4.0.0.3 IP address is probably
spoofed.

> I have found a referance to an old trojan called BackDoor-J
> using port 65535, but I find no traces of this trojan on
> either Win98 box. I am using current dat file of 4.x McAfee
> and have searched the registry for the following.
> 
> "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
> "SystemDLL32"=SYSTEMPATCH.EXE"

Well, anything can try to communicate on any port it wants to,
so, since you did not find any evidence of that BackDoor-J
trojan, it's probably something else.

> Where else might these log entries be comming from on my
> internal net?

If you only have two Windows boxes on the internal net, it must
be one of them.  :)

> What should I do to try to find which Win98 box is the culprit?

Well, if you get a lot of those messages, you could try pulling
the network cable out of one of the Windows boxes at a time to
see if the messages stop.  This won't prove that the box isn't
infected, but it will give you an idea.

If you really want to be sure, though, you should probably
re-install both machines.  Of course, it would be nice if you
could figure out how it happened so you can try to prevent it
happening again.

I don't know if this would help, but you could try running the
following commands on the Windows boxes to see if they give you
any useful information:
	C:\> netstat -an >netstat.txt
	C:\> route print >route.txt
	C:\> winipcfg

Hope this helps.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

Prev by Date: Re: Firewall log with port 65535 question
Next by Date: Re: Firewall log with port 65535 question
Previous by thread: Re: Firewall log with port 65535 question
Next by thread: Re: Firewall log with port 65535 question
Index(es):
- Date
- Thread