A day in the life of a typical Internet host
by Zygo Blaxell <mailto:zblaxell@hungrycats.org>
This used to be a transcript of one of my recent OCLUG postings.
The original poster was worried about some suspicious things that he
had seen in his system logs. In response, I summarized approximately
six months of really obvious cracker activity on my home system.
Note that I'm only reporting on a small amount of security information
here. I've completely omitted various attacks that have been launched
against my bind, wu-ftpd, Sendmail, and Apache servers (attacks which
can not filtered out by the firewall) and I've also omitted a variety
of probes that came to my systems across non-public networks (hint:
if you work in a large corporation, your employer pays people to be
seriously curious about what you're running on your desktop at work).
I also ignore without logging a lot of stuff that I consider to
be absolute noise: packets that are not addressed to my IP address,
broadcast packets, SMB packets, and non-IP/non-ARP packets are ignored.
There are about 13 megabytes of such packets every day.
The article is rather long but it contains a lot of little scraps of
information. It's best to read this article with a large mug of hot
chocolate in front of a fireplace on a cold winter's night...
In article <36CC2E32.E9CF175B@audiowarehouse.sk.ca>,
Mike Warnecke wrote:
>Somebody is trying to get mail from your computer. Make sure you read some of the
>past articles in this list regarding firewalling and security (sorry, I havn't got
>them). I have a few machines on the internet full-time and the cracker attempts
>never stop. I try to contact their service providers, but few respond.
>Be careful out there!
If that doesn't convince you that security is important, here's what's in
my firewall logs. Note that this is only stuff that the _firewall_
filters out. The antics they're pulling on the servers they _can_
connect to are even more interesting, but for the sake of brevity I'll
omit them here.
zblaxell@washu:~$ zcat -f /var/log/messages* | grep DENY
Feb 17 18:28:22 gateway kernel: Packet log: input DENY eth1 PROTO=1 195.138.133.10:4 24.112.92.159:0 L=112 S=0x00 I=63620 F=0x4000 T=245
These are ICMP source quenches. Harmless. I really should start allowing
those I guess...they're an important part of Internet routing protocol.
The icmp messages that should be allowed (and that I've seen in real life)
are 0, 3, 4, 8, and 11. 0 and 8 are ping, the others are things like source
quench and network unreachable.
Feb 14 17:12:07 gateway kernel: Packet log: input DENY eth1 PROTO=6 210.103.108.186:5263 24.112.92.159:143 L=44 S=0x00 I=38089 F=0x0000 T=48
Feb 17 20:38:05 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.37.79.11:5692 24.112.92.159:143 L=44 S=0x00 I=21822 F=0x0000 T=49
Feb 18 02:56:43 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.31.253.69:3373 24.112.92.159:143 L=44 S=0x00 I=52227 F=0x0000 T=56
Feb 21 22:53:59 gateway kernel: Packet log: input DENY eth1 PROTO=6 166.82.12.250:28951 24.112.92.159:143 L=44 S=0x00 I=51006 F=0x0000 T=58
Jan 29 17:40:48 gateway kernel: Packet log: input DENY eth1 PROTO=6 203.98.11.3:28967 24.112.92.159:143 L=44 S=0x00 I=60092 F=0x0000 T=53
>Greg Sarsons wrote:
>> and connect from 158.37.79.11
Someone is scanning Rogers sites for IMAP servers. Evil. They're
probably trying to see if anyone has a year-old version of Red Hat
running on their system to try to get into it. Go to www.rootshell.com
and search for 'imap' and you'll see half a dozen ready-to-run exploit
scripts (although as far as I know they all exploit the same two
vulnerabilities).
zblaxell@washu:~$ host 158.37.79.11
11.79.37.158.IN-ADDR.ARPA domain name pointer script.nla.no
11.79.37.158.IN-ADDR.ARPA domain name pointer script.lh.nla.no
zblaxell@washu:~$ host 166.82.12.250
Host not found, try again.
zblaxell@washu:~$ host 210.103.108.186
Host not found, try again.
zblaxell@washu:~$ host 203.98.11.3
3.11.98.203.IN-ADDR.ARPA domain name pointer ns1.netcentral.co.nz
Well, I tried again, and it still doesn't work. That's fairly common.
Someone from *Norway* is scanning Rogers *Ottawa* sites for IMAP servers.
There is no excuse for this. It is *very* evil. Ditto New Zealand.
Feb 17 23:27:28 gateway kernel: Packet log: input DENY eth1 PROTO=1 10.10.10.10:4 24.112.92.159:0 L=56 S=0x00 I=13638 F=0x0000 T=248
Rogers sends me gigabytes of crap from 10.X.Y.Z. They use network 10 for
controlling their cable modems. The crackers know this too and sometimes
launch attacks against me from 10.X.Y.Z. I used to have one DNS root
exploit attempt every two to six hours for a month or two from 10.X.Y.Z.
Feb 18 20:42:49 gateway kernel: Packet log: input DENY eth1 PROTO=1 10.0.184.49:11 24.112.92.159:0 L=56 S=0xC0 I=32399 F=0x0000 T=254
Feb 18 20:43:05 gateway kernel: Packet log: input DENY eth1 PROTO=1 10.0.255.246:11 24.112.92.159:0 L=56 S=0xC0 I=37045 F=0x0000 T=250
"ICMP Host Unreachable (TOS)." More Rogers noise, or maybe it's my
cable modem trying to tell me to get the cat off of the cable modem
(it's nice and warm and comfortable to sleep on) so I can be connected
to the Internet. Or something. It only shows up because of the 10.*
address.
Feb 18 02:56:48 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.31.253.69:5127 24.112.92.159:53 L=44 S=0x00 I=52577 F=0x0000 T=56
And now someone is trying to get my zone files, or maybe they just want to
see if my named will give them root access. Again, see www.rootshell.com
and search for 'named' and 'bind' to see the exploit scripts they are using.
Of course there's no reverse IP mapping for 204.31.253.6 at all.
Feb 19 19:24:49 gateway kernel: Packet log: input DENY eth1 PROTO=17 193.230.177.21:988 24.112.92.159:111 L=84 S=0x00 I=31184 F=0x0000 T=54
Someone is probably looking for open NFS exports. That's UDP being sent
to my portmapper. This isn't even worth a www.rootshell.com entry, it's
just bad configuration vulnerabilities as old as the trees. Note that there
is a real exploit for 'mountd' but that wasn't used here.
zblaxell@washu:~$ host 193.230.177.21
21.177.230.193.IN-ADDR.ARPA domain name pointer iren.iren.ro
Is that Romania? Gee, NFS is gonna be *slow* in Romania...
zblaxell@washu:~$ host 147.46.116.150
150.116.46.147.IN-ADDR.ARPA domain name pointer tsp8.snu.ac.kr
I know that one: kr is Korea.
Feb 9 17:53:20 gateway kernel: Packet log: input DENY eth1 PROTO=17 209.67.50.210:925 24.112.92.159:111 L=84 S=0x00 I=24840 F=0x0000 T=54
This guy tried to get at my portmap daemon for 15 straight minutes.
zblaxell@washu:~$ host 209.67.50.210
Host not found, try again.
Feb 20 10:20:51 gateway kernel: Packet log: input DENY eth1 PROTO=17 209.167.240.9:63777 24.112.92.159:161 L=78 S=0x00 I=2059 F=0x0000 T=55
I have 1502 of these. Whoever you are, you are annoying.
zblaxell@washu:~$ host 209.167.240.9
9.240.167.209.IN-ADDR.ARPA domain name pointer sprocket.loran.com
These come from different ports at different times, but always in the
range 61000-65095. Therefore it's probably some server behind a Linux
IP masquerading firewall. That site is actually fairly tight; the
person who set up the networking there knows basic firewall setup.
[Note: I actually later discovered that this site is run by a company that
sells Linux-based firewalls. D'oh!]
Feb 2 22:33:58 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.48.46.46:3013 24.112.92.159:12345 L=48 S=0x00 I=18001 F=0x0000 T=118
Feb 3 00:01:44 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.81.231:4486 24.112.92.159:12345 L=48 S=0x00 I=56635 F=0x4000 T=123
Feb 11 03:39:07 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.194.20.84:1703 24.112.92.159:12345 L=48 S=0x00 I=29010 F=0x4000 T=118
Feb 11 21:46:48 gateway kernel: Packet log: input DENY eth1 PROTO=6 216.66.137.165:3524 24.112.92.159:12345 L=64 S=0xD0 I=36755 F=0x4000 T=113
Feb 13 22:16:30 gateway kernel: Packet log: input DENY eth1 PROTO=6 216.66.137.132:1723 24.112.92.159:12345 L=64 S=0x60 I=6538 F=0x4000 T=113
Feb 19 21:53:33 gateway kernel: Packet log: input DENY eth1 PROTO=6 137.186.208.66:4132 24.112.92.159:12345 L=48 S=0x00 I=6545 F=0x4000 T=119
Feb 19 21:53:36 gateway kernel: Packet log: input DENY eth1 PROTO=6 137.186.208.66:4132 24.112.92.159:12345 L=48 S=0x00 I=24209 F=0x4000 T=119
Feb 19 21:53:54 gateway kernel: Packet log: input DENY eth1 PROTO=6 137.186.208.66:4132 24.112.92.159:12345 L=48 S=0x00 I=19090 F=0x4000 T=119
Jan 31 14:29:07 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.81.231:4150 24.112.92.159:12345 L=48 S=0x00 I=7475 F=0x4000 T=123
That is a Win95 machine running NetBus (a remote-access network trojan).
Someone is fishing for pre-cracked machines to use for whatever nefarious
purposes...
zblaxell@washu:~$ host 137.186.208.66
66.208.186.137.IN-ADDR.ARPA domain name pointer ms01-66.ott.istar.ca
zblaxell@washu:~$ host 207.194.20.84
84.20.194.207.IN-ADDR.ARPA domain name pointer nvcr01m02-84.bctel.ca
zblaxell@washu:~$ host 216.66.137.165
165.137.66.216.IN-ADDR.ARPA domain name pointer nvan-53-0269.direct.ca
zblaxell@washu:~$ host 216.66.137.132
132.137.66.216.IN-ADDR.ARPA domain name pointer nvan-53-0236.direct.ca
zblaxell@washu:~$ host 24.112.81.231
231.81.112.24.IN-ADDR.ARPA domain name pointer cr492042-a.yec1.on.wave.home.com
Note that 24.112.81.231 scanned twice.
Feb 1 13:30:07 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.81.231:3784 24.112.92.159:12345 L=48 S=0x00 I=39723 F=0x4000 T=123
Feb 8 23:44:30 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.87.174:61187 24.112.92.159:12345 L=64 S=0xE4 I=63502 F=0x4000 T=124
Feb 8 23:44:31 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.87.174:61199 24.112.92.159:12346 L=64 S=0x60 I=1039 F=0x4000 T=124
Feb 13 02:27:07 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.112.211:4222 24.112.92.159:12345 L=44 S=0x00 I=44547 F=0x4000 T=25
zblaxell@washu:~$ host 24.112.87.174
174.87.112.24.IN-ADDR.ARPA domain name pointer cr425084-a.slnt1.on.wave.home.com
zblaxell@washu:~$ host 24.112.112.211
211.112.112.24.IN-ADDR.ARPA domain name pointer cr415834-a.poco1.bc.wave.home.com
zblaxell@washu:~$ host 24.112.81.231
231.81.112.24.IN-ADDR.ARPA domain name pointer cr492042-a.yec1.on.wave.home.com
zblaxell@washu:~$ host 207.48.46.46
46.46.48.207.IN-ADDR.ARPA domain name pointer Max4000-lrd1-14.bravo.net
Rogers customers searching for Windows 95 cracks on my web server.
One of those probably though another Linux IP masquerading firewall,
judging from the port numbers.
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2035 24.112.92.159:1 L=39 S=0x00 I=5727 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2036 24.112.92.159:2 L=39 S=0x00 I=5983 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2037 24.112.92.159:3 L=39 S=0x00 I=6239 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2038 24.112.92.159:4 L=39 S=0x00 I=6495 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2039 24.112.92.159:5 L=39 S=0x00 I=6751 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2040 24.112.92.159:6 L=39 S=0x00 I=7007 F=0x0000 T=111
Feb 20 21:00:39 gateway kernel: Packet log: input DENY eth1 PROTO=17 194.7.146.119:2041 24.112.92.159:7 L=39 S=0x00 I=7263 F=0x0000 T=111
Hello, a port-scan attack!
zblaxell@washu:~$ host 194.7.146.119
119.146.7.194.IN-ADDR.ARPA domain name pointer pool02b-194-7-146-119.uunet.be
BE? Where is BE? Belgium?
Feb 20 21:04:05 gateway kernel: Packet log: input DENY eth1 PROTO=6 194.7.146.119:2306 24.112.92.159:30303 L=48 S=0x00 I=4782 F=0x4000 T=111
Your guess is as good as mine. I don't recognize port 30303 (although
my intuition suggests it's another Back Orifice type server). Same guy.
Feb 21 15:46:06 gateway kernel: Packet log: output DENY eth1 PROTO=17 10.244.97.2:43407 209.167.240.3:33435 L=40 S=0x00 I=43408 F=0x0000 T=1
Oops, that's one of mine. How did _that_ get in there?
zblaxell@washu:~$ host 209.167.240.3
3.240.167.209.IN-ADDR.ARPA domain name pointer marjorie.loran.com
Oh, wait, I was probing loran.com. Now I remember... ;-)
Feb 7 21:59:27 gateway kernel: Packet log: output DENY eth1 PROTO=17 10.244.97.2:40015 209.67.27.71:33435 L=40 S=0x00 I=40016 F=0x0000 T=1
Hmmm...maybe my SO was tracerouting something?
zblaxell@washu:~$ host 209.67.27.71
71.27.67.209.IN-ADDR.ARPA domain name pointer umweb2.unitedmedia.com
Oh, Dilbert was down.
Feb 8 03:51:01 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.27.182.141:22882 24.112.92.159:110 L=44 S=0x00 I=23373 F=0x0000 T=55
Feb 10 00:03:37 gateway kernel: Packet log: input DENY eth1 PROTO=6 147.46.116.150:6674 24.112.92.159:110 L=44 S=0x00 I=13715 F=0x0000 T=51
Feb 10 00:03:39 gateway kernel: Packet log: input DENY eth1 PROTO=6 147.46.116.150:6674 24.112.92.159:110 L=44 S=0x00 I=13945 F=0x0000 T=52
Feb 18 02:56:53 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.31.253.69:7015 24.112.92.159:110 L=44 S=0x00 I=52905 F=0x0000 T=56
Another POP3 probe. There must have been a root vulnerability in
pop3 too.
See, there are so many security holes that I forget which servers have
which holes after a while. In the end it makes no difference; you have
to assume that they all have holes and plan your network accordingly, i.e.
put a real firewall (not a Linux kernel firewall running on the web server
but a separate physical machine running a minimally-permissive firewall)
between the outside world (including your web server) and any data you care
about.
The safest thing is to block all of the server ports unless you absolutely
positively can't do with out a server, and in those cases you want to read
the server source to make sure there are no security holes you can find.
You would be amazed at some of the crappy programs out there; I've been
able to find security holes just by doing a 'grep' for function names
that are frequently not used properly, like 'sprintf' or 'mktemp'. See
the Bugtraq archives at www.geek-girl.com for my articles on the subject
"Unix Interface Considered Harmful".
zblaxell@washu:~$ host 208.27.182.141
141.182.27.208.IN-ADDR.ARPA domain name pointer iway-spr182-141.islands.vi
Uhhh...Venice? I'm totally guessing these country names here...I know
where to look them up, I'm just not doing it. ;-)
Feb 10 18:53:44 gateway kernel: Packet log: input DENY eth1 PROTO=6 210.160.106.226:1746 24.112.92.159:143 L=44 S=0x00 I=37620 F=0x0000 T=49
Feb 10 18:53:49 gateway kernel: Packet log: input DENY eth1 PROTO=6 210.160.106.226:1771 24.112.92.159:53 L=44 S=0x00 I=37652 F=0x0000 T=49
Feb 10 18:53:54 gateway kernel: Packet log: input DENY eth1 PROTO=6 210.160.106.226:1806 24.112.92.159:110 L=44 S=0x00 I=37700 F=0x0000 T=49
This guy knows all the holes... ;-)
zblaxell@washu:~$ host 210.160.106.226
226.106.160.210.IN-ADDR.ARPA is a nickname for 226.224.106.160.210.in-addr.arpa
...but doesn't know how to set up a DNS zone properly. Actually it's more
likely that the site administrator is not a Unix guru and screwed up more
than the DNS zone files, and that let our cracker get in...
Feb 12 15:00:47 gateway kernel: Packet log: input DENY eth1 PROTO=6 212.228.220.203:27910 24.112.92.159:27901 L=316 S=0x00 I=55081 F=0x4000 T=116
Feb 14 09:05:04 gateway kernel: Packet log: input DENY eth1 PROTO=6 193.237.95.241:49606 24.112.92.159:49608 L=52 S=0x0D I=56580 F=0x4000 T=116
Dunno those ones.
zblaxell@washu:~$ host 212.228.220.203
203.220.228.212.IN-ADDR.ARPA domain name pointer majicthighs.demon.co.uk
zblaxell@washu:~$ host 193.237.95.241
241.95.237.193.IN-ADDR.ARPA domain name pointer gunhead.demon.co.uk
demon.co.uk is a huge ISP. They probably get a cracker every week.
Feb 14 09:28:45 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:1027 24.112.92.159:119 L=40 S=0x00 I=36002 F=0x4000 T=116
Someone is looking for my news server. Well, I actually have one of
those, but you can't talk to it. Thpppt. :-P
zblaxell@washu:~$ host 158.152.94.97
97.94.152.158.IN-ADDR.ARPA domain name pointer grotto.demon.co.uk
Feb 14 09:30:14 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:25 24.112.92.159:54862 L=40 S=0x00 I=32204 F=0x4000 T=116
Feb 14 09:30:43 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:119 24.112.92.159:47692 L=40 S=0x00 I=19418 F=0x4000 T=116
Oooh, this guy is trying to see if I've misconfigured my firewall.
Notice how the source address is the SMTP or NNTP port. Clever.
That's the most intelligent attack I've seen so far.
Feb 14 09:30:47 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:57489 24.112.92.159:119 L=40 S=0x00 I=12764 F=0x4000 T=116
Now he's back to trying to get my NNTP port.
Feb 14 09:31:13 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:27901 24.112.92.159:27910 L=40 S=0x00 I=8168 F=0x4000 T=116
Hmmm...I've seen those ports before but reversed. I am now very
suspicious.
Feb 14 09:31:42 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:1574 24.112.92.159:8080 L=40 S=0x00 I=29940 F=0x4000 T=116
He's looking for a proxy web server. Probably so he can be anonymous
while he surfs the net.
Feb 14 09:31:43 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:27005 24.112.92.159:27015 L=40 S=0x00 I=61172 F=0x4000 T=116
Feb 14 09:31:47 gateway kernel: Packet log: input DENY eth1 PROTO=6 158.152.94.97:1130 24.112.92.159:19184 L=40 S=0x00 I=21494 F=0x4000 T=116
Still trying? C'mon, guy, it's Valentine's day. Obviously your
girlfriend dumped you.
Feb 14 10:49:04 gateway kernel: Packet log: input DENY eth1 PROTO=6 164.58.90.28:0 24.112.92.159:143 L=40 S=0x00 I=19972 F=0x0000 T=233
Hmmm...attempting to connect to my IMAP server from TCP port 0. I'm not
even sure that's legal. Another attack designed to get around broken
firewalls.
zblaxell@washu:~$ host 164.58.90.28
Host not found.
Feb 14 13:11:36 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4619 24.112.92.159:7 L=48 S=0x00 I=12608 F=0x4000 T=123
Port 7 is the 'echo' port. This is a denial-of-service attempt.
zblaxell@washu:~$ host 24.112.36.90
90.36.112.24.IN-ADDR.ARPA domain name pointer cr689237-a.ym1.on.wave.home.com
Feb 14 13:11:37 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4624 24.112.92.159:70 L=48 S=0x00 I=16704 F=0x4000 T=123
Feb 14 13:11:38 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.36.90:4664 24.112.92.159:161 L=67 S=0x00 I=49216 F=0x0000 T=123
Feb 14 13:11:38 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4656 24.112.92.159:143 L=48 S=0x00 I=42560 F=0x4000 T=123
Feb 14 13:11:40 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4637 24.112.92.159:110 L=48 S=0x00 I=16449 F=0x4000 T=123
Feb 14 13:11:41 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4648 24.112.92.159:37 L=48 S=0x00 I=24897 F=0x4000 T=123
Feb 14 13:11:45 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4619 24.112.92.159:7 L=48 S=0x00 I=31042 F=0x4000 T=123
Feb 14 13:11:58 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.36.90:4631 24.112.92.159:119 L=48 S=0x00 I=53829 F=0x4000 T=123
In order: gopher, SNMP, IMAP, POP3, time, echo, and NNTP. None of
which I'm running.
Feb 3 02:49:52 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4681 24.112.92.159:7 L=48 S=0x00 I=2795 F=0x4000 T=118
Feb 3 02:49:59 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4703 24.112.92.159:70 L=48 S=0x00 I=38381 F=0x4000 T=118
Feb 3 02:49:59 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4722 24.112.92.159:119 L=48 S=0x00 I=39917 F=0x4000 T=118
Feb 3 02:50:05 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4740 24.112.92.159:110 L=48 S=0x00 I=50159 F=0x4000 T=118
Feb 3 02:50:08 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4764 24.112.92.159:37 L=48 S=0x00 I=62959 F=0x4000 T=118
Feb 3 02:50:09 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4791 24.112.92.159:143 L=48 S=0x00 I=52976 F=0x4000 T=118
Feb 15 13:52:20 gateway kernel: Packet log: input DENY eth1 PROTO=6 142.194.244.241:4260 24.112.92.159:7 L=48 S=0x00 I=35986 F=0x4000 T=113
Feb 15 13:52:20 gateway kernel: Packet log: input DENY eth1 PROTO=6 142.194.244.241:4270 24.112.92.159:110 L=48 S=0x00 I=44690 F=0x4000 T=113
Feb 15 13:52:26 gateway kernel: Packet log: input DENY eth1 PROTO=6 142.194.244.241:4266 24.112.92.159:70 L=48 S=0x00 I=3220 F=0x4000 T=113
And again.
zblaxell@washu:~$ host 206.152.172.204
204.172.152.206.IN-ADDR.ARPA domain name pointer rtx01s12.lanline.com
zblaxell@washu:~$ host 142.194.244.241
241.244.194.142.IN-ADDR.ARPA domain name pointer d241-hn101h1-htmn-pdi.attcanada.net
To save time, maybe I should just post a summary of what a port scan
against my web server looks like on my web site. That way, people
wouldn't keep trying them...
Feb 15 22:40:17 gateway kernel: Packet log: input DENY eth1 PROTO=6 198.211.16.147:35155 24.112.92.159:8010 L=40 S=0x00 I=53428 F=0x0000 T=50
Port 8010 I'm not familiar with. It's likely to be some kind of HTTP proxy.
zblaxell@washu:~$ host 198.211.16.147
147.16.211.198.IN-ADDR.ARPA domain name pointer nyf-ny3-19.ix.netcom.com
Feb 17 01:56:00 gateway kernel: Packet log: input DENY eth1 PROTO=6 128.46.200.76:7502 24.112.92.159:143 L=44 S=0x00 I=7057 F=0x0000 T=51
Feb 17 01:56:05 gateway kernel: Packet log: input DENY eth1 PROTO=6 128.46.200.76:16316 24.112.92.159:53 L=44 S=0x00 I=8143 F=0x0000 T=51
Feb 17 01:56:10 gateway kernel: Packet log: input DENY eth1 PROTO=6 128.46.200.76:23142 24.112.92.159:635 L=44 S=0x00 I=8994 F=0x0000 T=51
This guy is trying for IMAP and DNS holes, and skips the portmap step
and tries to go to the NFS mounter daemon directly.
zblaxell@washu:~$ host 128.46.200.76
76.200.46.128.IN-ADDR.ARPA domain name pointer zoot.ecn.purdue.edu
Jan 30 08:48:53 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.113.172.16:3266 24.112.92.159:143 L=44 S=0x00 I=48843 F=0x0000 T=50
Jan 30 08:49:01 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.113.172.16:6708 24.112.92.159:53 L=44 S=0x00 I=51202 F=0x0000 T=50
Jan 30 08:49:06 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.113.172.16:10759 24.112.92.159:635 L=44 S=0x00 I=52719 F=0x0000 T=50
Jan 30 08:49:11 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.113.172.16:14838 24.112.92.159:110 L=44 S=0x00 I=54566 F=0x0000 T=50
Someone is passing that exploit script around.
zblaxell@washu:~$ host 209.113.172.16
16.172.113.209.IN-ADDR.ARPA domain name pointer baron.nii.net
Feb 1 05:26:40 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.91.207.2:9456 24.112.92.159:143 L=44 S=0x00 I=22649 F=0x0000 T=51
Feb 1 05:26:45 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.91.207.2:19447 24.112.92.159:53 L=44 S=0x00 I=24202 F=0x0000 T=51
Feb 1 05:26:50 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.91.207.2:29107 24.112.92.159:635 L=44 S=0x00 I=25652 F=0x0000 T=51
Feb 1 05:26:55 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.91.207.2:7355 24.112.92.159:110 L=44 S=0x00 I=27606 F=0x0000 T=51
Feb 1 19:23:23 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.210.27.236:27073 24.112.92.159:143 L=44 S=0x00 I=20407 F=0x0000 T=53
Feb 1 19:23:31 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.210.27.236:30047 24.112.92.159:53 L=44 S=0x00 I=21213 F=0x0000 T=53
Feb 1 19:23:36 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.210.27.236:1031 24.112.92.159:635 L=44 S=0x00 I=21740 F=0x0000 T=53
Feb 1 19:23:38 gateway kernel: Packet log: input DENY eth1 PROTO=6 204.210.27.236:4588 24.112.92.159:110 L=44 S=0x00 I=21901 F=0x0000 T=53
Feb 2 12:28:29 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.196.56.24:13970 24.112.92.159:143 L=44 S=0x00 I=38464 F=0x0000 T=53
Feb 2 12:28:34 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.196.56.24:15685 24.112.92.159:53 L=44 S=0x00 I=38699 F=0x0000 T=53
Feb 2 12:28:39 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.196.56.24:16428 24.112.92.159:635 L=44 S=0x00 I=38854 F=0x0000 T=53
Feb 2 12:28:47 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.196.56.24:16727 24.112.92.159:110 L=44 S=0x00 I=39078 F=0x0000 T=53
Feb 2 14:31:10 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.84.172.80:25697 24.112.92.159:143 L=44 S=0x00 I=54563 F=0x0000 T=45
Feb 2 14:31:15 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.84.172.80:29612 24.112.92.159:53 L=44 S=0x00 I=55461 F=0x0000 T=45
Feb 2 14:31:20 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.84.172.80:1607 24.112.92.159:110 L=44 S=0x00 I=56182 F=0x0000 T=45
Very popular, this exploit script...
zblaxell@washu:~$ host 207.91.207.2
2.207.91.207.IN-ADDR.ARPA domain name pointer rush.brophy.com
zblaxell@washu:~$ host 204.210.27.236
236.27.210.204.IN-ADDR.ARPA domain name pointer dt040nec.san.rr.com
zblaxell@washu:~$ host 195.84.172.80
80.172.84.195.IN-ADDR.ARPA domain name pointer tfr.org
Feb 3 02:50:12 gateway kernel: Packet log: input DENY eth1 PROTO=17 206.152.172.204:4813 24.112.92.159:161 L=67 S=0x00 I=17393 F=0x0000 T=118
Feb 3 02:50:13 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4681 24.112.92.159:7 L=48 S=0x00 I=24817 F=0x4000 T=118
Feb 3 02:50:14 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4764 24.112.92.159:37 L=48 S=0x00 I=37105 F=0x4000 T=118
Feb 3 02:50:17 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4703 24.112.92.159:70 L=48 S=0x00 I=55281 F=0x4000 T=118
Feb 3 02:50:18 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4791 24.112.92.159:143 L=48 S=0x00 I=61681 F=0x4000 T=118
Feb 3 02:50:20 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4722 24.112.92.159:119 L=48 S=0x00 I=7922 F=0x4000 T=118
Feb 3 02:50:23 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4740 24.112.92.159:110 L=48 S=0x00 I=27122 F=0x4000 T=118
Feb 3 02:50:26 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4764 24.112.92.159:37 L=48 S=0x00 I=49650 F=0x4000 T=118
Feb 3 02:50:30 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.152.172.204:4791 24.112.92.159:143 L=48 S=0x00 I=6131 F=0x4000 T=118
Again.
zblaxell@washu:~$ host 206.152.172.204
204.172.152.206.IN-ADDR.ARPA domain name pointer rtx01s12.lanline.com
Feb 3 08:27:03 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.65.173:1883 24.112.92.159:161 L=69 S=0x00 I=52959 F=0x0000 T=124
zblaxell@washu:~$ host 24.112.65.173
173.65.112.24.IN-ADDR.ARPA domain name pointer cr804155-a.etob1.on.wave.home.com
Feb 5 19:15:14 gateway kernel: Packet log: input DENY eth1 PROTO=1 194.231.109.43:4 24.112.92.159:0 L=56 S=0x00 I=20472 F=0x0000 T=13
Feb 6 02:49:52 gateway kernel: Packet log: input DENY eth1 PROTO=17 207.142.180.2:682 24.112.92.159:111 L=84 S=0x00 I=14297 F=0x0000 T=50
Feb 5 04:06:27 gateway kernel: Packet log: input DENY eth1 PROTO=17 206.102.127.14:866 24.112.92.159:111 L=84 S=0x00 I=50528 F=0x0000 T=56
Jan 22 01:09:22 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.194.175.83:1233 24.112.92.159:12345 L=44 S=0x00 I=17923 F=0x4000 T=115
Jan 22 00:38:14 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.194.175.247:2403 24.112.92.159:12345 L=44 S=0x00 I=50014 F=0x4000 T=115
Feb 5 18:48:39 gateway kernel: Packet log: input DENY eth1 PROTO=6 199.179.188.134:3615 24.112.92.159:12345 L=44 S=0x00 I=62325 F=0x4000 T=19
Feb 4 00:43:34 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.81.231:3834 24.112.92.159:12345 L=48 S=0x00 I=47788 F=0x4000 T=123
Feb 5 19:09:50 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.211.63:2740 24.112.92.159:12345 L=48 S=0x00 I=54408 F=0x4000 T=115
Feb 3 13:08:18 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.81.231:11111 24.112.92.159:12345 L=48 S=0x00 I=5952 F=0x4000 T=123
Feb 5 17:51:01 gateway kernel: Packet log: input DENY eth1 PROTO=6 210.113.6.97:20516 24.112.92.159:143 L=44 S=0x00 I=11853 F=0x0000 T=52
Feb 3 20:25:41 gateway kernel: Packet log: input DENY eth1 PROTO=6 129.133.72.55:23266 24.112.92.159:143 L=44 S=0x00 I=39419 F=0x0000 T=55
Feb 6 01:08:16 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.86.3.135:7183 24.112.92.159:143 L=44 S=0x00 I=63809 F=0x0000 T=54
Feb 5 08:30:12 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.105.238.30:4133 24.112.92.159:143 L=60 S=0x00 I=33472 F=0x4000 T=53
Jan 22 00:58:05 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.94.100:32866 24.112.92.159:23 L=60 S=0x00 I=34103 F=0x4000 T=255
Feb 3 16:07:53 gateway kernel: Packet log: input DENY eth1 PROTO=6 143.195.170.25:3772 24.112.92.159:53 L=60 S=0x00 I=8733 F=0x4000 T=50
Jan 22 01:04:34 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.94.100:33268 24.112.92.159:80 L=60 S=0x00 I=34116 F=0x4000 T=255
Same old, same old. Repeats deleted.
Jan 22 01:19:25 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.94.100:33584 24.112.92.159:23 L=60 S=0x00 I=54727 F=0x4000 T=255
Jan 22 01:23:49 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.94.100:3114 24.112.92.159:1 L=48 S=0x00 I=54023 F=0x4000 T=255
Jan 22 01:24:04 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.94.100:33765 24.112.92.159:21 L=60 S=0x00 I=54034 F=0x4000 T=255
Jan 22 12:41:04 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.57.139:1103 24.112.92.159:22 L=30 S=0x00 I=50192 F=0x0000 T=27
Jan 24 07:36:50 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.92.25:1070 24.112.92.159:22 L=30 S=0x00 I=64769 F=0x0000 T=128
Look closely: PROTO=17 means UDP, but ssh and telnet (22 and 23) are
TCP protocols (PROTO=6).
zblaxell@washu:~$ host 24.112.94.100
100.94.112.24.IN-ADDR.ARPA domain name pointer cr616215-a.rchrd1.on.wave.home.com
zblaxell@washu:~$ host 24.112.57.139
139.57.112.24.IN-ADDR.ARPA domain name pointer cr24139-a.ym1.on.wave.home.com
zblaxell@washu:~$ host 24.112.92.25
25.92.112.24.IN-ADDR.ARPA domain name pointer cr221111-a.rchrd1.on.wave.home.com
Note that people do routinely probe my telnet port as well; however,
my telnet port is connected to something that is very much not telnet,
so it's hard to say what they were going to try when they got there.
Jan 23 11:59:21 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.253.117.82:2247 24.112.92.159:12345 L=64 S=0x1C I=14880 F=0x4000 T=117
Jan 24 21:52:45 gateway kernel: Packet log: output DENY eth1 PROTO=17 10.244.97.2:41350 198.53.144.2:33435 L=40 S=0x00 I=41351 F=0x0000 T=1
Jan 24 21:52:50 gateway kernel: Packet log: output DENY eth1 PROTO=17 10.244.97.2:41350 198.53.144.2:33436 L=40 S=0x00 I=41352 F=0x0000 T=1
Jan 25 00:19:46 gateway kernel: Packet log: input DENY eth1 PROTO=6 129.101.82.34:11208 24.112.92.159:635 L=44 S=0x00 I=62531 F=0x0000 T=49
Jan 25 00:19:49 gateway kernel: Packet log: input DENY eth1 PROTO=6 129.101.82.34:11208 24.112.92.159:635 L=44 S=0x00 I=62874 F=0x0000 T=49
Jan 25 23:45:51 gateway kernel: Packet log: input DENY eth1 PROTO=17 24.112.73.93:7229 24.112.92.159:22 L=30 S=0x00 I=51593 F=0x0000 T=28
Jan 26 05:01:11 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.65.241.74:4812 24.112.92.159:8080 L=48 S=0x00 I=17833 F=0x4000 T=122
Jan 26 05:01:14 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.65.241.74:4812 24.112.92.159:8080 L=48 S=0x00 I=16298 F=0x4000 T=122
More of the same.
Jan 26 16:26:53 gateway kernel: Packet log: input DENY eth1 PROTO=6 192.93.52.104:6621 24.112.92.159:5500 L=48 S=0x00 I=57486 F=0x4000 T=241
New port number...
zblaxell@washu:~$ host 192.93.52.104
Host not found.
Jan 27 04:16:19 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.64.168.46:2375 24.112.92.159:8137 L=44 S=0x00 I=17637 F=0x4000 T=121
Jan 27 04:20:40 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.64.168.46:3256 24.112.92.159:5000 L=44 S=0x00 I=61755 F=0x4000 T=121
More new port numbers.
zblaxell@washu:~$ host 24.64.168.46
46.168.64.24.IN-ADDR.ARPA domain name pointer 24.64.168.46.on.wave.home.com
Jan 27 04:22:18 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:1758 24.112.92.159:110 L=44 S=0x00 I=32401 F=0x0000 T=50
Jan 27 04:22:26 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:4371 24.112.92.159:143 L=44 S=0x00 I=33155 F=0x0000 T=50
Jan 27 04:22:31 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:6711 24.112.92.159:53 L=44 S=0x00 I=33486 F=0x0000 T=50
Jan 27 04:22:36 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:8309 24.112.92.159:635 L=44 S=0x00 I=33938 F=0x0000 T=50
Jan 27 04:22:41 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:11617 24.112.92.159:143 L=44 S=0x00 I=34489 F=0x0000 T=50
Jan 27 04:22:46 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:12993 24.112.92.159:67 L=44 S=0x00 I=34933 F=0x0000 T=50
Jan 27 04:22:51 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.154.96.2:16509 24.112.92.159:110 L=44 S=0x00 I=35506 F=0x0000 T=50
Jan 28 18:39:20 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.250.142.242:3184 24.112.92.159:12345 L=48 S=0x00 I=30184 F=0x4000 T=114
Jan 8 20:11:40 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.51.71:49724 24.112.92.159:119 L=40 S=0x00 I=4803 F=0x0000 T=250
Jan 9 00:38:54 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.3.203.39:0 24.112.92.159:143 L=40 S=0x00 I=55042 F=0x0000 T=239
Jan 10 04:12:47 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:14958 24.112.92.159:110 L=44 S=0x00 I=57845 F=0x0000 T=51
Jan 10 04:12:56 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:19618 24.112.92.159:143 L=44 S=0x00 I=58732 F=0x0000 T=51
Jan 10 04:13:01 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:22553 24.112.92.159:53 L=44 S=0x00 I=59228 F=0x0000 T=50
Jan 10 04:13:06 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:25787 24.112.92.159:635 L=44 S=0x00 I=59742 F=0x0000 T=51
Jan 10 04:13:11 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:29709 24.112.92.159:143 L=44 S=0x00 I=60228 F=0x0000 T=51
Jan 10 04:13:16 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:1337 24.112.92.159:67 L=44 S=0x00 I=60729 F=0x0000 T=51
Jan 10 04:13:21 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.240.81:4374 24.112.92.159:110 L=44 S=0x00 I=61220 F=0x0000 T=51
Jan 10 23:01:18 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.84.17:3282 24.112.92.159:12345 L=48 S=0x00 I=14818 F=0x4000 T=125
Jan 11 11:57:10 gateway kernel: Packet log: input DENY eth1 PROTO=6 202.188.150.53:0 24.112.92.159:143 L=40 S=0x00 I=9732 F=0x0000 T=234
Jan 12 13:54:08 gateway kernel: Packet log: input DENY eth1 PROTO=6 130.67.3.100:25808 24.112.92.159:635 L=44 S=0x00 I=44251 F=0x0000 T=52
Jan 13 18:43:43 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.139.82.10:3187 24.112.92.159:143 L=44 S=0x00 I=1565 F=0x0000 T=55
Jan 13 18:43:48 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.139.82.10:17467 24.112.92.159:53 L=44 S=0x00 I=3854 F=0x0000 T=55
Jan 13 18:43:53 gateway kernel: Packet log: input DENY eth1 PROTO=6 208.139.82.10:1429 24.112.92.159:110 L=44 S=0x00 I=5555 F=0x0000 T=55
Jan 14 02:49:32 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:5528 24.112.92.159:110 L=44 S=0x00 I=50289 F=0x0000 T=51
Jan 14 02:49:38 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:10469 24.112.92.159:143 L=44 S=0x00 I=50845 F=0x0000 T=51
Jan 14 02:49:40 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:13164 24.112.92.159:53 L=44 S=0x00 I=50999 F=0x0000 T=51
Jan 14 02:49:45 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:16980 24.112.92.159:635 L=44 S=0x00 I=51603 F=0x0000 T=51
Jan 14 02:49:50 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:19552 24.112.92.159:143 L=44 S=0x00 I=52175 F=0x0000 T=51
Jan 14 02:49:54 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:22677 24.112.92.159:67 L=44 S=0x00 I=52710 F=0x0000 T=51
Jan 14 02:50:00 gateway kernel: Packet log: input DENY eth1 PROTO=6 195.4.38.70:26734 24.112.92.159:110 L=44 S=0x00 I=53470 F=0x0000 T=51
Jan 14 21:14:26 gateway kernel: Packet log: input DENY eth1 PROTO=6 199.179.168.29:16905 24.112.92.159:143 L=44 S=0x00 I=33520 F=0x0000 T=51
Jan 14 21:14:31 gateway kernel: Packet log: input DENY eth1 PROTO=6 199.179.168.29:18588 24.112.92.159:53 L=44 S=0x00 I=33867 F=0x0000 T=51
Jan 14 21:14:36 gateway kernel: Packet log: input DENY eth1 PROTO=6 199.179.168.29:20504 24.112.92.159:110 L=44 S=0x00 I=34212 F=0x0000 T=51
Jan 15 12:48:47 gateway kernel: Packet log: output DENY eth1 PROTO=17 10.244.97.2:63539 209.167.40.2:33435 L=40 S=0x00 I=63540 F=0x0000 T=1
Jan 15 19:47:31 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.64.14.65:3239 24.112.92.159:12345 L=44 S=0x00 I=57196 F=0x4000 T=121
Jan 16 15:08:09 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.112.90.21:2082 24.112.92.159:8010 L=44 S=0x00 I=44555 F=0x4000 T=125
More of the above.
Jan 16 22:41:06 gateway kernel: Packet log: input DENY eth1 PROTO=1 24.112.95.150:5 24.112.92.159:1 L=56 S=0x00 I=17892 F=0x0000 T=255
ICMP redirect messages. Rogers had a routing problem. I don't like to
allow ICMP redirects because my routing table only contains five entries,
and they should never, _ever_ change.
[ 29 lines deleted ]
Jan 20 03:04:10 gateway kernel: Packet log: input DENY eth1 PROTO=6 166.102.183.225:12170 24.112.92.159:6000 L=44 S=0x00 I=46027 F=0x0000 T=53
Someone tried to connect to my X server:
zblaxell@washu:~$ host 166.102.183.225
225.183.102.166.IN-ADDR.ARPA domain name pointer kipa5pp96.alltel.net
Of course anyone who can connect to your X server successfully (possibly
by guessing your MIT-MAGIC-COOKIE authentication token) basically owns
your monitor, mouse, and keyboard, with almost full read-write access.
If you're running highly dangerous applications such as Netscape, emacs,
or any Tcl/Tk application at the time, you might as well broadcast all
your passwords to Usenet.
[ 52 lines deleted ]
Dec 30 23:43:50 gateway kernel: Packet log: input DENY eth1 PROTO=6 203.38.206.5:0 24.112.92.159:954 L=40 S=0x00 I=9986 F=0x0000 T=232
Don't know that port number.
zblaxell@washu:~$ host 203.38.206.5
Host not found.
[ 68 lines deleted ]
Jan 5 05:11:26 gateway kernel: Packet log: input DENY eth1 PROTO=6 206.141.244.211:14170 24.112.92.159:67 L=44 S=0x00 I=14833 F=0x0000 T=51
Someone is trying to bootp from me. Specifically from me. This is
totally unlike the normal bootp protocol which is always from 0.0.0.0
to 255.255.255.255 (network broadcast address).
zblaxell@washu:~$ host 206.141.244.211
211.244.141.206.IN-ADDR.ARPA domain name pointer dyn1-tnt2-211.indianapolis.in.ameritech.net
[ 96 lines deleted ]
Dec 11 02:11:28 gateway kernel: Packet log: input DENY eth1 PROTO=6 24.64.171.251:2996 24.112.92.159:31337 L=44 S=0x00 I=31193 F=0x4000 T=121
Back Orifice. The ultimate Win95 trojan.
zblaxell@washu:~$ host 24.64.171.251
251.171.64.24.IN-ADDR.ARPA domain name pointer 24.64.171.251.on.wave.home.com
[ 38 lines deleted ]
Dec 19 02:05:34 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.48.46.85:2187 24.112.92.159:23456 L=48 S=0x00 I=16665 F=0x0000 T=118
Dec 19 02:05:38 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.48.46.85:2199 24.112.92.159:23457 L=48 S=0x00 I=29721 F=0x0000 T=118
This is probably looking for NetBus on a different port number.
[ 1125 lines deleted ]
Nov 19 19:49:56 gateway kernel: Packet log: input DENY eth1 PROTO=6 207.253.190.243:2395 24.112.92.159:911 L=48 S=0x00 I=53923 F=0x4000 T=54
911, eh? Cute port number.
zblaxell@washu:~$ host 207.253.190.243
243.190.253.207.IN-ADDR.ARPA domain name pointer port243.cactuscom.com
Sep 30 11:56:45 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.183.87.60:2333 24.112.92.159:1 L=64 S=0x55 I=11849 F=0x4000 T=118
...
Sep 30 12:00:29 gateway kernel: Packet log: input DENY eth1 PROTO=6 209.183.87.60:2460 24.112.92.159:128 L=64 S=0x56 I=5963 F=0x4000 T=118
And all ports in between. A port scan.
zblaxell@washu:~$ host 209.183.87.60
60.87.183.209.IN-ADDR.ARPA domain name pointer ip209-183-87-60.ts.indy.net
Oct 7 04:23:28 gateway kernel: Packet log: input DENY eth1 PROTO=17 206.172.32.36:1986 24.112.92.159:17 L=46 S=0x00 I=57383 F=0x0000 T=114
Don't know what UDP port 17 is supposed to be. On TCP it's `quote of
the day'.
zblaxell@washu:~$ host 206.172.32.36
36.32.172.206.IN-ADDR.ARPA domain name pointer pm3-1-36.neptune.on.ca
[ 45 lines deleted ]
And from the archives:
Oct 15 16:35:45 gateway ftpd[4683]: failed login from mail.west.ga.net [199.250.181.5], leech
Oct 15 16:35:45 gateway ftpd[4683]: FTP session closed
Oct 15 16:35:47 gateway ftpd[4684]: failed login from mail.west.ga.net [199.250.181.5], warez
Oct 15 16:35:47 gateway ftpd[4684]: FTP session closed
Oct 15 16:35:49 gateway ftpd[4685]: failed login from mail.west.ga.net [199.250.181.5], mp3
Oct 15 16:35:49 gateway ftpd[4685]: FTP session closed
I love these. There were about 4 attempts in October and November. If only they knew
how close they came to accessing my online CD collection...
>Greg Sarsons wrote:
>
>> I was just looking at /var/log/secure and saw two entries that puzzled me first
>> is
>> connect from 199.77.47.58
>>
>> okay someone tryed telneting into my machine .... it has only been up and
>> connect for a week now.
>>
>> and connect from 158.37.79.11
>>
>> okay someone else tryed ... guess I'm popular
>>
>> but after that I see imapd[2583]: error: cannot execute /usr/sbin/imapd: No
>> such file of directory
>>
>> what does this mean? should I be concerned?
You should have a firewall set up on your machine that prevents these
from ever happening.
$Id$