Eduardo, You're going to have to be a LOT more specific as far as how the network is setup topographically and from which machine this log file was taken (i.e. which machine is localhost in this log) You mentioned a Linux gateway....but you didn't mention where it is positioned in relation to your network and the Cisco router. Since I am familiar with both Linux and Cisco logging....this to me looks like someone running packet accounting on the the eth0 interface of the Linux box. You need to detail how these two networks are conncted....where the router is located, where the Linux Gateway is located....and what functions it currently provides.
BTW - this doesn't really look like anyone was doing anything major. DENY is the response to a rule, possibly ipchains ruleset that wouldn't allow 192.168.2.185 access to the outside IP 213.107.153.72 Just a guess...it's late...I'm tired. If they are accussing you of accessing their network via VPN, that's most likely not the case since most VPN setups on Cisco routers use the convention of labling the VPN netowrk as a class A (i.e 10.0.0.1) None of the chatter below refers to anyting in that IP address range. Sounds to me like someone at the other company learned how to turn on IP accounting and is still puzzled my the logfiles that it creates. Tell them to read the fscking manual and don't worry about their accusations. It will cost them $$ bucks to prove anything....and I'm willing to bet they just don't know what they're talking about. that's my $.02 --->> smed On Tue, 20 Nov 2001, Eduardo Bencomo wrote: > > We are in a mixed network, which includes a router Cisco, a 3COM swich common to the >two networks and a hub where gateway/fire wall linux computer is connected. > > One of the network is my company network (192.168.X.X / 255.255.0.0. I am in charge >of it) and the other network belongs to other company (10.10.X.X / 255.255.0.0). This >company has a VPN. Now, they are accusing me as hacker, alleging we have tried to go >into their VPN. As prove of tha t , they are showing the following type of message: > > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70) > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.185:138 > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70) > > Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.138:137 > > 192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71) > > Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.20:138 > > 192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71) > > Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.5:138 > > 192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71) > > Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.5:137 > > 192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71) > > Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.100:138 > > 192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71) > > Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17 >192.168.2.172:137 > > 192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71) > > They have as many as 40 pages of this type of messages , presenting this "deny" >access as the evidence we have tried to penetrate their network. > > Since we are not int er ested is go into that VPN, nor we have tried to do it, >please help me in find a technnical explanation for the "evidences" the have shown. > > Thanks. > >
