Re: Firewall log with port 65535 question
On Tue, 31 Oct 2000, Bill Bell wrote:
if anyone would spend some time on this "PROTO=2" thing
they would realize this is just IGMP .. which means the portnumber
has next to NO meaning ..
that you get this packets means, that your provider is just too stupid
to configure his router not to forward such packets to you
yours
christian bahls
networking department
www.it-netservice.de
Leipzig, Germany
> Hello all,
>
> I have a Debian / Woody firewall at home and have been getting
> getting the following log reports for a few days.
>
> -- configuration --
> external interface is 206.230.232.xxx on eth1 and
> internal interface is 192.168.1.1 on eth0 with my
> DSL service. (I now know, this is backwards :-)
>
> I am running up-to-date woody with snort, logcheck and portscan packages.
> Also pmfirewall for my firewall.
>
> Logcheck is finding this on eth0, my internal net, which is just 2 Win98
> machines.
>
> -- begin logcheck --
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=7424 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=7936 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=8448 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=8960 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=9472 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:44 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=9728 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=10240 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=10496 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=11264 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=11520 F=0x0000 T=1 O=0x00000494
> (#39)
> Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2
> 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=11776 F=0x0000 T=1 O=0x00000494
> (#39)
>
> -- end logcheck --
>
> I am trying to understand where the 4.0.0.3 is comming from on my eth0, and
> where 227.37.32.1,2,3,4,5,6 are at, again this is all on my eth0 running
> 192.168.1.x networking.
>
> I have found a referance to an old trojan called BackDoor-J using port 65535,
> but I find no traces of this trojan on either Win98 box. I am using current
> dat file of 4.x McAfee and have searched the registry for the following.
>
> "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> "SystemDLL32"=SYSTEMPATCH.EXE"
>
> Where else might these log entries be comming from on my internal net?
>
> What should I do to try to find which Win98 box is the culprit?
>
>
> Thanks,
> Bill
> CREAM "Dark Angel"
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: