l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2001 Dec 30 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Attempted access -- I think
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Attempted access -- I think

On Wed, 13 Jun 2001, Cam Ellison wrote:

> I managed to get it into more readable format -- the text appears below
> the copied message.
> Cam
> Cam Ellison wrote:
> > 
> > I haven't had much of a firewall set up (laziness coupled with too
> > little time), but I added a few lines to ipchains the other day, mostly
> > a set that blocked 192.168.x.x from outside the network.  Lo! and
> > behold!  I get these interesting entries that suggest my system has been
> > compromised.  The attached text is from syslog, and has been repeated,
> > along with other variants, ever since I added those lines.
> > 
> > What should I do now?  There is no obvious way in which my system has
> > been affected, but I notice that these entries are use the bootp ports
> > (67 and 68), so I am quite suspicious.
> > 
> > Any ideas would be most helpful.
> > 
> > Sorry for using an attachment -- I still haven't gotten around to
> > jettisoning Netscape and using a proper mail system.  Maybe security
> > ought to come first?

Looks like it.

> > 
> >
> >   ------------------------------------------------------------------------
> > 
> > Jun 13 16:44:28 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 L=328 S=0x00 I=48460
> > F=0x0000 T=128 (#1)

This is a dhcp reply (bootp). In isolation, nothing to worry about, but
when you consider the source address is private, it starts to look kind of

> > Jun 13 17:08:47 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 L=44 S=0x00 I=27137
> > F=0x0000 T=128 (#1)

... and this is an odd one... broadcast to 5005...  examine the output of
"netstat -ua" to see if treehouse would have responded to this, and use 
"lsof -i :5005" to find out which process(es) is(are) handling that port.

> > Jun 13 17:41:33 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 L=44 S=0x00 I=46693
> > F=0x0000 T=32 (#1)

Another odd one.  The fact that these all have different private
source addresses is also strange.

The fact that these are not directed at your ip address in particular is a
little comforting, but someone is playing strange games.

Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.