Re: Interesting log

Bob Glover Mon, 05 Feb 2001 07:46:12 -0800
Drew,

I've seen this before.  The fault here is probably a web site designed
by someone who didn't realize that many people are behind some kind of
firewall.  It looks to me like you were browsing from a MASQ'ed box (as
evidenced by the high source port numbers: 63508, etc.), when you hit a
website that contained URL's (in their HTML) that look something like
this:

http://blah.blah.blah.net/special-stuff/blah/blah:81

The:81 part being the kicker.  It could also be a java program or
something that uses port 81.  In any case, you should be able to
duplicate the problem by visiting the site again.  I have to say that
you'll probably see more of this.  I've seen port 79, 81, and 82.  I
guess they think they're being creative or something.

It's a good idea to block outgoing ports that are commonly used for
attacks.  That way if you browse a disreputable (or cracked) web site,
and they have something evil in them like:
http://microshaft.com:31337, then you don't end up looking like you're
up to something.
Some HTML-based chat forums may allow port numbers in URL's posted by
"chatters" too.

- Bob Glover

From: "Drew Hunt" <[EMAIL PROTECTED]>
> I found these logs blocking outgoing packets.  Whois tells me this IP
> belongs to RackSpace in San Antonio, TX.  What's weird is that I woke up at
> midnight to find my Windoze computer, that had been turned off for the
> night, on and waiting for my password.  Would the Wake-On-LAN feature be
> causing this?  And what is this port 81?

> Logs follow:

> Feb  1 21:29:21 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63508 207.71.8.87:81 L=48 S=0x00 I=24399 F=0x4000 T=127 SYN
(#50)
> Feb  1 21:29:21 tenchi kernel: Packet log: output REJECT eth0 PROTO=6 
> 24.221.123.186:63509 207.71.8.87:81 L=48 S=0x00 I=24655 F=0x4000 T=127 SYN
(#50)
> Feb  1 21:29:23 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63520 207.246.138.125:81 L=48 S=0x00 I=37967 F=0x4000 T=127
SYN (#50)
> Feb  1 21:29:24 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63508 207.71.8.87:81 L=48 S=0x00 I=43855 F=0x4000 T=127 SYN
(#50)
> Feb  1 21:29:24 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63509 207.71.8.87:81 L=48 S=0x00 I=44111 F=0x4000 T=127 SYN
(#50)
> Feb  1 21:29:26 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63520 207.246.138.125:81 L=48 S=0x00 I=64847 F=0x4000 T=127
SYN (#50)
> Feb  1 21:29:30 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
> 24.221.123.186:63508 207.71.8.87:81 L=48 S=0x00 I=18512 F=0x4000 T=127 SYN
(#50)
> Feb  1 21:29:30 tenchi kernel: Packet log: output REJECT eth0 PROTO=6
[snip]
> 
> Any feedback appreciated.
> 
> Thanks,
> Drew



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Interesting log

Reply via email to
