[NTLUG:Discuss] Weird Messages

Steve Egbert egbert at efficient.com
Tue Jan 2 22:36:39 CST 2001


Kip,

Not at all wierd.

> In /var/log/kern.log there was only one line.
> Dec 30 11:54:02 c604230-a syslog: Kernel log daemon terminating.

There is a known kprintf() format bug that causes the klogd daemon to crash
(particularily with firewall).  Pick up another update for "syslog"


> 3. Could someone have gotten in and compromised my firewall, and tried to
erase their tracks?

These attempts have been blocked.  However, if you're not careful, you may
fail to log in successful login attempts (as denoted by IP-address:23 in the
output.  Your syslog.conf is critical to catching these successful login.  I
suggest you Bastille your firewall.


> 
> 4. Are these IP addresses of interest to someone?  Should I 
> report them to
> someone?

Nope.  Since you've blocked them all, no intrusion occurred.  Nothing to
report.

> 
> 5. Now what should I do next?
> 

Start with http://bastille-linux.sourceforge.net/  for starter.  It is the
best start for beginner to tighten up the firewall in the quickest manner.


As how I track down these information (quickly), I used "nslookup" to type
in the IP address.  If that failed, I used
http://www.arin.net/whois/index.html to find out who owns the block.  If it
was a successful intrusion, then I send off an abuse@<insert-isp-name>.com
then add the offending IP address to my /etc/hosts.deny (not to mention
rebuilding and clamping down security a bit more).


> Packet Log: input DENY eth0 PROTO=1 65.10.47.1:11 24.11.215.3:0 L=56
S=0xC0 I=46872 F-0x0000 T=254 (#43)

Three ping attempts (PROTO=1) from  r1-fe2-0.plano1.tx.home.net(65.10.47.1)
failed (Tsk, tsk, tsk; I think this is Bart)


> Packet Log: input DENY eth0 PROTO=6 62.158.240.147:3419 24.11.215.3:23
L=48 S=0x00 I=17770 F=0x4000 T=114 SYN (#5)

Three telnet attempts (PROTO=6, TCP :23) from
p3E9EF093.dip.t-dialin.net(62.158.240.147) failed.


> Packet Log: input DENY eth0 PROTO=6 208.242.38.202:3430 24.11.215.3:21
L=60 S=0x00 I=49089 F=0x4000 T=110 SYN (#3)

That IP is owned by UUNET (a BIG unknown entity).


> Packet Log: input DENY eth0 PROTO=6 213.193.182.107:4005 24.11.215.3:21
L=60 S=0x00 I=14281 F=0x4000 T=110 SYN (#3)

Two FTP attempts (PROTO=6, TCP, :21) from 213-193-182-107.adsl.easynet.be
failed.  (Stephan of Alcatel, you've been flagged!)


> Packet Log: input DENY eth0 PROTO=6 207.105.159.130:21 24.11.215.3:21 L=60
S=0x00 I=39426 F=0x4000 T=110 SYN (#3)

One FTP attempt from
adsl-207-105-159-130.dsl.lsan03.pacbell.net(207.105.159.130) failed.
(Chris, your machine has been hacked!)

I have a mini-database of these attempts on my machine as well.  Sometime
with ISP's assistance, I can send an email directly to them.



More information about the Discuss mailing list