Re: [Shorewall-users] UDP "attacks"

Wed, 15 Aug 2012 07:22:32 -0700 

I see that my machine is trying to send out mysterious packets frequently, and 
this is disturbing (Debian Testing, SW 4.5.5.3-1):

[33989.889255] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 
DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53577 
DPT=443 LEN=36 
[34289.470433] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 
DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 
DPT=443 LEN=53 
[34294.463539] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 
DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 
DPT=443 LEN=53 
[34299.455311] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 
DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49862 
DPT=443 LEN=36 

What do I do about this?  How do I determine whether I have a rootkit or trojan?

Why in the world would someone keep sending me these, over and over:

[34319.426452] Shorewall:Invalid:DROP:IN=wlan0 OUT= 
MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=69.171.228.70 DST=192.168.1.1 
LEN=86 TOS=0x00 PREC=0x20 TTL=242 ID=46354 DF PROTO=TCP SPT=80 DPT=56842 
WINDOW=0 RES=0x00 ACK RST URGP=0 
[34472.030639] Shorewall:Invalid:DROP:IN=wlan0 OUT= 
MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=98.142.98.180 DST=192.168.1.1 
LEN=1500 TOS=0x00 PREC=0x20 TTL=56 ID=35426 DF PROTO=TCP SPT=80 DPT=58076 
WINDOW=54 RES=0x00 ACK URGP=0 
... and how in the world are these getting through three wifi routers in a 
chain to the destination machine, each with a firewall?

And finally, what is the recommended monitoring method?  I see there's 
fwlogwatch, fail2ban, logwatch, and probably others.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to