On 08/15/2012 07:19 AM, [email protected] wrote: > > I see that my machine is trying to send out mysterious packets frequently, > and this is disturbing (Debian Testing, SW 4.5.5.3-1): > > [33989.889255] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 > DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=53577 DPT=443 LEN=36 > [34289.470433] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 > DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=49862 DPT=443 LEN=53 > [34294.463539] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 > DST=208.67.220.220 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=49862 DPT=443 LEN=53 > [34299.455311] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1 > DST=208.67.220.220 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=49862 DPT=443 LEN=36 > > What do I do about this? How do I determine whether I have a rootkit or > trojan?
Are you an OpenDNS subscriber by chance? > > Why in the world would someone keep sending me these, over and over: > > [34319.426452] Shorewall:Invalid:DROP:IN=wlan0 OUT= > MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=69.171.228.70 > DST=192.168.1.1 LEN=86 TOS=0x00 PREC=0x20 TTL=242 ID=46354 DF PROTO=TCP > SPT=80 DPT=56842 WINDOW=0 RES=0x00 ACK RST URGP=0 > [34472.030639] Shorewall:Invalid:DROP:IN=wlan0 OUT= > MAC=30:14:2d:77:6e:e4:00:24:b2:5a:1d:5c:08:00 SRC=98.142.98.180 > DST=192.168.1.1 LEN=1500 TOS=0x00 PREC=0x20 TTL=56 ID=35426 DF PROTO=TCP > SPT=80 DPT=58076 WINDOW=54 RES=0x00 ACK URGP=0 > ... and how in the world are these getting through three wifi routers in a > chain to the destination machine, each with a firewall? Do yourself a favor and remove the logging specification from your DROP(Invalid) rule. Those are probably late-arriving RSTs from connections which have already been closed. They are nothing to worry about. > > And finally, what is the recommended monitoring method? I see there's > fwlogwatch, fail2ban, logwatch, and probably others. > I personally use fwlogwatch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
