Hiya - I've been getting the occasional set of entries in my log files
relating to traffic blocked at our firewall - I was wondering two things:
1) What is this traffic - is it someone checking to see if there is a
trinoo type process running on my server? I seem to recognise those ports
being probed as ones that the trinoo type exploited hosts listen on
for activation of attacks:
Nov 9 21:31:11 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
their.ip.address:38243 my.ip.address:33435 L=40 S=0x00 I=41391 F=0x4000
T=104
(#31)
Nov 9 21:31:16 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
their.ip.address:38243 my.ip.address:33436 L=40 S=0x00 I=41392 F=0x4000
T=104
(#31)
Nov 9 21:31:21 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
their.ip.address:38243 my.ip.address:33437 L=40 S=0x00 I=41393 F=0x4000
T=104
(#31)
2) is there a security listserve that deals more specifically with
enquiries like this? I've also noticed a bunch of weird activity on port
139 that I originally thought was a port scan - but was told by one very
rude sysadmin that the activity I was reporting was "standard" behaviour
of a windows based computer connecting to the net - scanning for NETBIOS
services on it's "local" network... anyway - I'd rather not be hassling
the redhat list with these ipchains / firewall / security issues every
other day as I strive to understand what is an attack and what is not...
TIA - dan.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
