Re: what's this activity - and anyone know a good listserve...

Wed, 15 Nov 2000 14:15:39 -0800 

On Thu, 16 Nov 2000, Dan Horth wrote:
>Hiya - I've been getting the occasional set of entries in my log files
>relating to traffic blocked at our firewall - I was wondering two things:
>
>1) What is this traffic - is it someone checking to see if there is a
>trinoo type process running on my server? I seem to recognise those ports
>being probed as ones that the trinoo type exploited hosts listen on
>for activation of attacks:
>
>Nov  9 21:31:11 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
>their.ip.address:38243 my.ip.address:33435 L=40 S=0x00 I=41391 F=0x4000
>T=104 (#31)
>Nov  9 21:31:16 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
>their.ip.address:38243 my.ip.address:33436 L=40 S=0x00 I=41392 F=0x4000
>T=104 (#31)
>Nov  9 21:31:21 FireWall kernel: Packet log: input DENY ppp0 PROTO=17
>their.ip.address:38243 my.ip.address:33437 L=40 S=0x00 I=41393 F=0x4000
>T=104> (#31)
>
I would guess someone is trying to exploit an old kernel ipchains bug that
would let you connect to from the outside to an open unprivlaged port
being used from inside the firewall.  There was something about it on the
RedHat announce list - last spring?
>
>2) is there a security listserve that deals more specifically with
>enquiries like this? I've also noticed a bunch of weird activity on port
>139 that I originally thought was a port scan - but was told by one very
>rude sysadmin that the activity I was reporting was "standard" behaviour
>of a windows based computer connecting to the net - scanning for NETBIOS
>services on it's "local" network... anyway - I'd rather not be hassling
>the redhat list with these ipchains / firewall / security issues every
>other day as I strive to understand what is an attack and what is not...
>
This would only be true if you were on the same subnet as the computer
trying to connect.  More likely, it was someone looking for an open
Windows system, but the sysadmin didn't want to be bothered with doing
something about it.
>
>TIA - dan.
> 
You may want to subscribe to the redhad-anounce list.  There is also a
security list from RedHat, but I forget the name of it.  It is on the web
site, I think.

Mikkel
-- 

    Do not meddle in the affairs of dragons,
 for you are crunchy and taste good with ketchup.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to