[NTLUG:Discuss] Weird Messages
Kipton Moravec
kmoravec at airmail.net
Tue Jan 2 22:01:53 CST 2001
I know almost nothing about LINUX, but I have a Linux Firewall on my cable
modem doing IP Masquerading for my network of 6 machines at home.
Today on the console I saw the following messages:
Packet Log: input DENY eth0 PROTO=1 65.10.47.1:11 24.11.215.3:0 L=56 S=0xC0
I=46872 F-0x0000 T=254 (#43)
Packet Log: input DENY eth0 PROTO=1 65.10.47.1:11 24.11.215.3:0 L=56 S=0xC0
I=46882 F-0x0000 T=254 (#43)
Packet Log: input DENY eth0 PROTO=1 65.10.47.1:11 24.11.215.3:0 L=56 S=0xC0
I=46891 F-0x0000 T=254 (#43)
Packet Log: input DENY eth0 PROTO=6 62.158.240.147:3419 24.11.215.3:23 L=48
S=0x00 I=17770 F=0x4000 T=114 SYN (#5)
Packet Log: input DENY eth0 PROTO=6 62.158.240.147:3419 24.11.215.3:23 L=48
S=0x00 I=17858 F=0x4000 T=114 SYN (#5)
Packet Log: input DENY eth0 PROTO=6 62.158.240.147:3419 24.11.215.3:23 L=48
S=0x00 I=18010 F=0x4000 T=114 SYN (#5)
Packet Log: input DENY eth0 PROTO=6 208.242.38.202:3430 24.11.215.3:21 L=60
S=0x00 I=49089 F=0x4000 T=110 SYN (#3)
Packet Log: input DENY eth0 PROTO=6 208.242.38.202:3430 24.11.215.3:21 L=60
S=0x00 I=49281 F=0x4000 T=110 SYN (#3)
Packet Log: input DENY eth0 PROTO=6 208.242.38.202:3430 24.11.215.3:21 L=60
S=0x00 I=49696 F=0x4000 T=110 SYN (#3)
Packet Log: input DENY eth0 PROTO=6 213.193.182.107:4005 24.11.215.3:21 L=60
S=0x00 I=14281 F=0x4000 T=110 SYN (#3)
Packet Log: input DENY eth0 PROTO=6 213.193.182.107:4005 24.11.215.3:21 L=60
S=0x00 I=14698 F=0x4000 T=110 SYN (#3)
Packet Log: input DENY eth0 PROTO=6 207.105.159.130:21 24.11.215.3:21 L=60
S=0x00 I=39426 F=0x4000 T=110 SYN (#3)
I don't know how long they have been there as I do not check the firewall
everyday. I think I looked at it last, around Saturday or Sunday. I think
I rebooted on Saturday.
I thought the messages would be logged somewhere.
I looked in /var/log/messages and did not see the messages there.
I looked in /var/log/syslog, /var/log/auth.log, /var/log/user.log
In /var/log/security.log the last entry is dated October 22.
In /var/log/kern.log there was only one line.
Dec 30 11:54:02 c604230-a syslog: Kernel log daemon terminating.
Now for the questions:
1. Where is the documentation on the Packet Log messages? What is
generating them, and where do I find out what they mean?
2. Where are they logged? Am I just not looking in the right place? The
firewall is Mandrake 7.0
3. Could someone have gotten in and compromised my firewall, and tried to
erase their tracks?
4. Are these IP addresses of interest to someone? Should I report them to
someone?
5. Now what should I do next?
Kip
Kipton Moravec kip at kdream.com
DREAM
Custom Electronics Design and Manufacture
http://www.kdream.com
More information about the Discuss
mailing list