[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help understanding logs



On Thu, Aug 22, 2002 at 05:15:24AM +0300, irvine@vuosaari.hai.fi wrote:
> 
> Hello
> 
> I have a fairly simple firewall on my workstation - I include the main part of it below.
> 
> I noticed the following in my logs and was wondering if any could help me understand it.
> 
>  Aug 19 01:38:34 candy kernel: rejects !IN=eth0 OUT= MAC=00:e0:7d:b1:52:bd:00:b0:c2:8d:c7:5a:08:00 SRC=62.179.136.1 DST=62.71.40.14 LEN=76 TOS=0x00 PREC=0x00 TTL=51 ID=41222 PROTO=ICMP TYPE=3 CODE=2 [SRC=62.71.40.14 DST=62.179.136.1 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=766 DF PROTO=TCP SPT=3072 DPT=0 WINDOW=0 RES=0x34 URG ACK RST FIN URGP=0 ] 

It looks like someone was scanning 62.179.136.1 and spoofed your source
address. ICMP error messages, such as this one, include the header
information of the packet that triggered the error, which is what you
see in the brackets. The fact that it fell through your --state
ESTABLISHED,RELATED rule is a pretty good indication that it didn't
originate from your computer. I'm sure you'll get stranger packets than
that in the future too, I certainly do :)

Notice the enclosed packet has a destination port of 0, which is not
legal, and some weird TCP flags set (URG ACK RST FIN). This might be an
attempt to crash the recipient, or to determine its operating system
maybe. See http://www.iss.net/security_center/advice/Exploits/Ports/0/default.htm

http://www.iss.net/security_center/advice/ is a very useful site, BTW.

  Jason



Reply to: