mysterious ipchains deny from 192.168.*.* ??
here's a logcheck message i got recently, where ipchains is
logging certain unwelcome hits (based on what's primarily the
default ipmasq filtering rules)--
----- Forwarded message from root <root@serensoft.com> -----
Security Violations
=-=-=-=-=-=-=-=-=-=
Apr 8 17:45:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.149.223.27:10 224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
Apr 8 17:59:48 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
Apr 8 18:00:23 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12145 F=0x4000 T=240 (#4)
Apr 8 17:45:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.149.223.27:10 224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
Apr 8 17:59:48 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
Apr 8 18:00:23 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12145 F=0x4000 T=240 (#4)
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Apr 8 17:45:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.149.223.27:10 224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
Apr 8 17:46:17 server kernel: hdd: irq timeout: status=0xd0 { Busy }
Apr 8 17:46:17 server kernel: ide1: reset: success
Apr 8 17:59:48 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
Apr 8 18:00:23 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12145 F=0x4000 T=240 (#4)
Apr 8 17:24:55 server xinetd[26200]: warning: can't get client address: Invalid argument
Apr 8 17:45:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.149.223.27:10 224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
Apr 8 17:46:17 server kernel: hdd: irq timeout: status=0xd0 { Busy }
Apr 8 17:46:17 server kernel: ide1: reset: success
Apr 8 17:57:17 server xinetd[26200]: warning: can't get client address: Invalid argument
Apr 8 17:59:48 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
Apr 8 18:00:23 server kernel: Packet log: input DENY eth1 PROTO=1 192.168.241.180:4 208.33.90.85:0 L=56 S=0x00 I=12145 F=0x4000 T=240 (#4)
Apr 8 17:24:55 server xinetd[26200]: warning: can't get client address: Invalid argument
Apr 8 17:57:17 server xinetd[26200]: warning: can't get client address: Invalid argument
----- End forwarded message -----
if i understand correctly, the following line (broken for
readability) says someone at 172.149.223.27 was broadcasting
(224.*.*.*):
Apr 8 17:45:10 server kernel: Packet log:
input DENY eth0 PROTO=1 172.149.223.27:10
224.0.0.2:0 L=28 S=0x00 I=11290 F=0x0000 T=128 (#7)
i get messages like that, quite frequently.
--
but then this following packet says someone at 192.168.241.180
was scanning our server (208.33.90.85) --
Apr 8 17:59:48 server kernel: Packet log:
input DENY eth1 PROTO=1 192.168.241.180:4
208.33.90.85:0 L=56 S=0x00 I=12140 F=0x4000 T=240 (#4)
but 192.168.*.* is internal-only, a reserved
'not-for-external-ip' number cluster, right?
my ifconfig shows three devices -- eth1 (208.33.90.85) and eth0
(192.168.1.1) and lo (127.0.0.1).
on my intRAnet i've got 192.168.1.[1,2,100,101,102,200] and
nothing else. where would this have come from? are we hacked?
--
americans should never read anything so subversive as what's at
http://www.salon.com/people/col/pagl/2001/03/21/spring/index1.html
will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!
Reply to: