Re: Tracking down IP's
On Sun, Dec 31, 2000 at 05:25:54PM -0600, Richard Cobbe wrote:
> JD Kitch <adahma@gmx.net> wrote:
> > Can anyone tell me what this person is looking for here, and how I
> > can find out where this is coming from?
> >
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
> > Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43)
> > Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43)
> > Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43)
> > Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43)
> > Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43)
>
> You're not getting scanned, JD. You're actually trying to *send* a packet
> to 172.16.72.113, port 161/udp (SNMP), from IP xx.xx.xx.xx, port 61662/udp.
> Your firewall rules don't allow this traffic to leave your machine. (If
> xx.xx.xx.xx isn't your IP, then you're forwarding it instead---I think. I
> can't check that, since I've only got the one machine.)
> Also, I *think* I've figured out what the (#43) means. I'm fairly, but not
> completely, certain that this is the index number of the ruleset in the
> named chain (here, output) which caused the packet to be blocked. This may
> be helpful in rewriting your firewall rules. (I do wish that ipchain's log
> output format was documented better.)
i've got something quite similar to this, but mine's on INPUT--
Jan 2 01:18:48 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=8964 F=0x0000 T=128 (#9)
Jan 2 01:18:51 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=9220 F=0x0000 T=128 (#9)
Jan 2 01:20:07 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=33028 F=0x0000 T=128 (#9)
Jan 2 01:20:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34308 F=0x0000 T=128 (#9)
Jan 2 01:20:13 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34564 F=0x0000 T=128 (#9)
using the "#9 = number within ruleset" theory,
and with ruleset as follows:
# ipchains -nL
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
ACCEPT all ------ 192.168.0.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 208.33.90.85 n/a
ACCEPT all ------ 0.0.0.0/0 208.33.90.255 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
then it seems to be the final (default) ruleset that's doing the
logging. but where's this request coming FROM? from what i
gather, the 172.*.*.* is a private net block, and 224.*.*.* is a
broadcast net block...
my intranet has two macs and even a skanky ol' windo~1 box
attached to the masquerading debian server. what's up with this?
--
See, if you were allowed to keep the money, you wouldn't
create jobs with it. You'd throw it in the bushes or
something. But the government will spend it, thereby
creating jobs. -- Dave Barry
will@serensoft.com *** http://www.dontUthink.com/
volunteer to document your experience for next week's
newbies -- http://www.eGroups.com/messages/newbieDoc
Reply to: