Re: Tracking down IP's
On Sun, Dec 31, 2000 at 04:18:30PM -0600, Richard Cobbe wrote:
> JD Kitch <adahma@gmx.net> wrote:
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
> > Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43)
> > Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43)
> > Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43)
> > Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43)
> > Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43)
> >
> > I've been unable to track it down. I've had pages and pages of this
> > every hour since early yesterday, always coming from the same IP, to
> > the same port.
>
> (It's still useful, of course, if you get unexplained crud from an input
> chain.)
>
> You're not getting scanned, JD. You're actually trying to *send* a packet
> to 172.16.72.113, port 161/udp (SNMP), from IP xx.xx.xx.xx, port 61662/udp.
> Your firewall rules don't allow this traffic to leave your machine. (If
> xx.xx.xx.xx isn't your IP, then you're forwarding it instead---I think. I
> can't check that, since I've only got the one machine.)
Correct, the IP I blocked out was actually my own.
> Now, find out *who's* sending this traffic. Make sure you've got the
> lsof-2.2 package installed. As root, run
>
> lsof | grep 61662 | grep -i udp
I do have that package, but this command turned up no output.
> The first and second fields are the name and pid, respectively, of the
> program(s) which have this socket open. The next step depends on what you
> find there. If you're actually trying to run an SNMP manager, then it
> looks like you've misconfigured it. Otherwise, you'll need to revisit your
> firewall rules to allow outgoing traffic to the SNMP agents you're trying
> to administer. If you're *not* trying to run SNMP, then you may have a
> fairly serious problem---somebody may have managed to get onto your system
> and run a process that probably shouldn't be there.
>
> I'm a little surprised by the fact that you're trying to send from 61662; I
> thought that was a port in the range reserved by the kernel for IP
> masquerading. I could be wrong, though, so I wouldn't worry about that too
> much.
Just yesterday I got another machine connected to this one via a
second nic, and I have a windows machine attched that I'm
masquerading for, but that is not the IP i configured that machine
to be. I'm certainly not knowingly running anything for SNMP, hell,
I don't even know what it is. :P Any ideas, what I might be running
that would cause this?
> Also, I *think* I've figured out what the (#43) means. I'm fairly, but not
> completely, certain that this is the index number of the ruleset in the
> named chain (here, output) which caused the packet to be blocked. This may
> be helpful in rewriting your firewall rules. (I do wish that ipchain's log
> output format was documented better.)
>
> Sorry for the misinformation,
Not a problem, I'll take any information at this point. ;)
TIA,
jdk
Reply to: