Re:
Seems like a normal portscan, like the one shields up does.....
On 08 Apr 2003 11:52:50 +0100
Ricardo Sousa <rjsousa@softhome.net> wrote:
> hi. I'm getting some alerts in my log files, and i getting worry.
> The logs are some like this:
>
> In /var/log/syslog,i'm getting this:
>
> Apr 8 01:01:37 zeus kernel: DENIED PORT:IN=eth1 OUT= MAC=xyz
> SRC=y.y.y.y DST=x.x.x.x. LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=5462 DF
> PROTO=TCP SPT=2276 DPT=6001 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Apr 8 01:01:37 zeus kernel: DENIED PORT:IN=eth1 OUT= MAC=xyz
> SRC=y.y.y.y DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=5465 DF
> PROTO=TCP SPT=2279 DPT=12345 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Apr 8 01:01:37 zeus kernel: DENIED PORT:IN=eth1 OUT= MAC=xyz
> SRC=y.y.y.y DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=5466 DF
> PROTO=TCP SPT=2280 DPT=20034 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Apr 8 01:01:37 zeus kernel: DENIED PORT:IN=eth1 OUT= MAC=xyz
> SRC=y.y.y.y DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=5468 DF
> PROTO=TCP SPT=2282 DPT=27374 WINDOW=16384 RES=0x00 SYN URGP=0
>
> it seems that my firewall it's blocking some scans =), but then in my
> /var/log/auth.log i get this:
>
> Apr 8 01:08:37 zeus sshd[9972]: warning: /etc/hosts.deny, line 15:
> can't verify hostname: gethostbyname(ip.domain.pt) failed
> Apr 8 01:08:37 zeus sshd[9972]: refused connect from 212.113.170.192
> Apr 8 01:09:06 zeus sshd[1600]: warning: /etc/hosts.deny, line 15:
> can't verify hostname: gethostbyname(ip.domain.pt) failed
> Apr 8 01:09:06 zeus sshd[1600]: refused connect from 212.113.170.192
>
> well, what this attack (i think that i can call it that), it's trying to
> do?
> Thanks in advantage,
> Ricardo
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: