Re: [opensuse] Intrusion attempt?
- From: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
- Date: Sun, 31 Dec 2006 14:51:59 +0100 (MET)
On Dec 31 2006 15:17, Hylton Conacher(ZR1HPC) wrote:
Subject: [opensuse] Intrusion attempt?
Hardly.
I have seen the following popup on my /var/log/messages and wonder what it^^^
could be especially as my current box has the IP of 10.0.0.14:
Dec 31 15:03:09 Spy kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT=
What we see here seems to be matching -m conntrack --ctstate INVALID.
MAC=00:40:f4:cf:bc:a7:00:02:96:48:71:87:08:00 SRC=208.184.36.73
DST=10.0.0.14
As you figured out, dst=10.0.0.14 is quite unlikely to be routable from
208.184.36.73. Your ISP does not change that (heh - hopefully!)
73.36.184.208.in-addr.arpa domain name pointer 208.184.36.73.available.
Whois says:
IMR Worldwide PTY LTD MFN-N298--208-184-36-64-27 (NET-208-184-36-64-1)
208.184.36.64 - 208.184.36.95
"""IMR Worldwide Pty Ltd , an Australian-based company, has formed a new
partnership with Taylor Nelson Sofres to establish a joint venture
specialising in market research focussing on the Internet.""" So you
know who that is.
LEN=56 TOS=0x00 PREC=0x00 TTL=61 ID=50579 PROTO=TCP SPT=80 DPT=1202
It is highly unlikely that said box targeted you. The source port is 80,
usually for HTTP, plus you've got a Pty Ltd.
WINDOW=8192
RES=0x00 ACK SYN URGP=0 OPT (020405980101080A08A2DBAD01976D81)
This however is strange. It would mean you got a spurious SYN ACK in
your connection. Which can't be, since the connection is unknown
(INVALID, see above). The option string says: maximum segment size is
0x598 (1432), and some other bits not covered by RFC 793.
All in all my conclusion is: The packet you received is valid, as part
of _you_ establishing a connection (probably visiting a webpage with
ads), however, for some __strange__ reason, the connection is INVALID.
I have seen similar strange things with iptables/netfilter recently --
established connections just went INVALID for no apparent reason, yet
they continued to be listed as ESTABLISHED in `conntrack -L`.
What you can do in the short term: post the results of `iptables-save`,
it might reveal some oddity I just stumbled over yesterday. In the long
term, upgrading to iptables 1.3.7 (suser-jengelh) might solve the
problem, the more if iptables-save shows what I think it could show.
========================================================================
Using SuSE 9.2 Professional with KDE and Mozilla Mail 1.7.13
Linux user # 229959 at http://counter.li.org
========================================================================
I'll take notice. I don't have a repo for that, so iptables 1.3.7 only
for SUSE 10.2 (and most likely downwards compatible with 10.1 and
older).
-`J'
--
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
- Follow-Ups:
- Re: [opensuse] Intrusion attempt?
- From: Jan Engelhardt
- Re: [opensuse] Intrusion attempt?
- References:
- [opensuse] Intrusion attempt?
- From: Hylton Conacher(ZR1HPC)
- [opensuse] Intrusion attempt?
- Prev by Date: Re: [opensuse] What happened to synce, rapi and kcemirror
- Next by Date: [opensuse] Dell M1210 on Opensuse 10.2 ??
- Previous by thread: [opensuse] Intrusion attempt?
- Next by thread: Re: [opensuse] Intrusion attempt?
- Index(es):
Relevant Pages
|
