Re: [newbie] unusual syslog entries can someone help?

Michael O'Henly Sun, 11 Feb 2001 17:35:55 -0800
My logs are full of this stuff. It was suggested to me that @Home is 
broadcasting something on their network. The source IP is different in my 
case but everything else is the same.

If anyone knows more about this, I'd be VERY grateful to hear about it.  For 
instance, what is port 631 used for?

I'm glad to know my firewall is working, but it's a pain to have to wade 
through more than 1MB of log data a day. I don't mind if they want to check 
every hour whether I'm running an NNTP server (which they also do), but this 
is a bit much.

M.

On Sunday 11 February 2001 17:32, Fireman71 wrote:
> was checking my /var/log/messages file earlier and noticed some unusual
> stuff and thought i would send it out and see what you all thought....
>
> /var/log/messages #1
> Feb 11 04:03:02 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63299 F=0x0000 T=64
> (#34)
> Feb 11 04:03:33 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63304 F=0x0000 T=64
> (#34)
> Feb 11 04:04:04 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63305 F=0x0000 T=64
> (#34)
> Feb 11 04:04:35 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63312 F=0x0000 T=64
> (#34)
> Feb 11 04:05:06 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63313 F=0x0000 T=64
> (#34)
> Feb 11 04:05:37 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63318 F=0x0000 T=64
> (#34)
> Feb 11 04:06:08 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=63319 F=0x0000 T=64
> (#34)
>
> <snip>this entry is repeated every 31 seconds until....
>
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=42689 F=0x0000 T=64
> (#34)
> Feb 11 11:32:51 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 207.144.156.152:631 255.255.255.255:631 L=117 S=0x00 I=42690 F=0x0000 T=64
> (#34)
> Feb 11 11:34:16 hp1 ifup-ppp: pppd started for ppp0 on /dev/modem at 115200
> Feb 11 11:34:48 hp1 pppd[9121]: Using interface ppp0
> Feb 11 11:34:48 hp1 pppd[9121]: Connect: ppp0 <--> /dev/modem
> Feb 11 11:35:03 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 192.203.230.10:53 207.144.214.27:1024 L=477 S=0x00 I=59322 F=0x4000 T=17
> (#34)
> Feb 11 11:35:04 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 204.116.57.2:53 207.144.214.27:1027 L=148 S=0x00 I=11336 F=0x0000 T=26
> (#34) Feb 11 11:35:07 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 192.33.4.12:53 207.144.214.27:1024 L=477 S=0x00 I=34023 F=0x4000 T=244
> (#34) Feb 11 11:35:09 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 206.74.254.2:53 207.144.214.27:1027 L=148 S=0x00 I=27220 F=0x4000 T=25
> (#34) Feb 11 11:35:11 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 198.41.0.10:53 207.144.214.27:1024 L=477 S=0x00 I=45844 F=0x0000 T=53 (#34)
> Feb 11 11:35:15 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 128.8.10.90:53 207.144.214.27:1024 L=477 S=0x00 I=10466 F=0x0000 T=56 (#34)
> Feb 11 11:35:17 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 204.116.57.2:53 207.144.214.27:1027 L=148 S=0x00 I=13973 F=0x0000 T=26
> (#34) Feb 11 11:35:19 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 192.5.5.241:53 207.144.214.27:1024 L=477 S=0x00 I=63027 F=0x4000 T=16 (#34)
> Feb 11 11:35:20 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 206.74.254.2:53 207.144.214.27:1027 L=148 S=0x00 I=30907 F=0x4000 T=25
> (#34) Feb 11 11:35:23 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 192.36.148.17:53 207.144.214.27:1024 L=477 S=0x00 I=7447 F=0x0000 T=45
> (#34) Feb 11 11:35:27 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 192.112.36.4:53 207.144.214.27:1024 L=477 S=0x00 I=27345 F=0x4000 T=245
> (#34)
> Feb 11 11:35:30 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 204.116.57.2:53 207.144.214.27:1027 L=148 S=0x00 I=16572 F=0x0000 T=26
> (#34) Feb 11 11:35:31 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 193.0.14.129:53 207.144.214.27:1024 L=477 S=0x00 I=6240 F=0x0000 T=50 (#34)
> Feb 11 11:35:35 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 128.9.0.107:53 207.144.214.27:1024 L=477 S=0x00 I=24155 F=0x4000 T=237
> (#34)
>
> <snip> i kept getting requests from a variety of ip#s until...
>
> Feb 11 13:43:09 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 198.41.0.4:53 207.144.244.100:1024 L=141 S=0x00 I=36954 F=0x0000 T=48 (#34)
> Feb 11 13:43:16 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 204.116.57.2:53 207.144.244.100:1027 L=148 S=0x00 I=20137 F=0x0000 T=26
> (#34)
> Feb 11 13:43:29 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 206.74.254.2:53 207.144.244.100:1027 L=493 S=0x00 I=37323 F=0x4000 T=25
> (#34)
> Feb 11 13:47:44 hp1 kernel: Packet log: input DENY ppp0 PROTO=6
> 63.66.204.66:2956 207.144.244.100:53 L=60 S=0x00 I=41991 F=0x4000 T=50 SYN
> (#34)
> Feb 11 17:07:55 hp1 kernel: Packet log: input DENY ppp0 PROTO=6
> 210.97.4.253:3433 207.144.244.100:98 L=60 S=0x00 I=10780 F=0x4000 T=45 SYN
> (#34)
> Feb 11 17:07:58 hp1 kernel: Packet log: input DENY ppp0 PROTO=6
> 210.97.4.253:3433 207.144.244.100:98 L=60 S=0x00 I=14182 F=0x4000 T=45 SYN
> (#34)
> Feb 11 17:55:14 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 199.90.74.52:137 207.144.244.100:137 L=78 S=0x00 I=9682 F=0x0000 T=111
> (#34) Feb 11 17:55:16 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 199.90.74.52:137 207.144.244.100:137 L=78 S=0x00 I=26066 F=0x0000 T=112
> (#34)
> Feb 11 17:55:17 hp1 kernel: Packet log: input DENY ppp0 PROTO=17
> 199.90.74.52:137 207.144.244.100:137 L=78 S=0x00 I=29394 F=0x0000 T=112
> (#34)
> Feb 11 18:15:33 hp1 kernel: Packet log: input DENY ppp0 PROTO=6
> 128.239.101.6:4669 207.144.244.100:53 L=60 S=0x00 I=19267 F=0x4000 T=53 SYN
> (#34)
> Feb 11 18:15:36 hp1 kernel: Packet log: input DENY ppp0 PROTO=6
> 128.239.101.6:4669 207.144.244.100:53 L=60 S=0x00 I=20396 F=0x4000 T=53 SYN
> (#34)
>
>
> As the log shows this has been going on most all day. Is someone attempting
> to hack my comp or is something totally screwed up?
>
> Thanks in advance,
> Ian K. Harrell
> [EMAIL PROTECTED]

-- 
Michael O'Henly
TENZO Design
Re: [newbie] unusual syslog entries can someone help?

Reply via email to
