Hello all, I have a Debian / Woody firewall at home and have been getting getting the following log reports for a few days.
-- configuration -- external interface is 206.230.232.xxx on eth1 and internal interface is 192.168.1.1 on eth0 with my DSL service. (I now know, this is backwards :-) I am running up-to-date woody with snort, logcheck and portscan packages. Also pmfirewall for my firewall. Logcheck is finding this on eth0, my internal net, which is just 2 Win98 machines. -- begin logcheck -- Security Violations =-=-=-=-=-=-=-=-=-= Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=6912 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=7424 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=7936 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=8448 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=8960 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:43 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=9472 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:44 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.2:65535 L=32 S=0x00 I=9728 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.6:65535 L=32 S=0x00 I=10240 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:46 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.5:65535 L=32 S=0x00 I=10496 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.4:65535 L=32 S=0x00 I=11264 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.3:65535 L=32 S=0x00 I=11520 F=0x0000 T=1 O=0x00000494 (#39) Oct 31 19:48:52 reboots kernel: Packet log: input DENY eth0 PROTO=2 4.0.0.3:65535 227.37.32.1:65535 L=32 S=0x00 I=11776 F=0x0000 T=1 O=0x00000494 (#39) -- end logcheck -- I am trying to understand where the 4.0.0.3 is comming from on my eth0, and where 227.37.32.1,2,3,4,5,6 are at, again this is all on my eth0 running 192.168.1.x networking. I have found a referance to an old trojan called BackDoor-J using port 65535, but I find no traces of this trojan on either Win98 box. I am using current dat file of 4.x McAfee and have searched the registry for the following. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemDLL32"=SYSTEMPATCH.EXE" Where else might these log entries be comming from on my internal net? What should I do to try to find which Win98 box is the culprit? Thanks, Bill CREAM "Dark Angel"
