On Tue, 10 Apr 2001, Jobst Schmalenbach wrote:
> I have the telnet port open in IPCHAINS but hosts.allow lets only a
> few connect and the rest gets "send" to hosts.deny.
>
> BUT now I saw a weird entry in my logs:
>
> Apr 10 00:21:21 piquet kernel: Packet log: ppp0-in DENY ppp0 PROTO=6
>203.161.231.1:1532 203.63.73.52:53 L=60 S=0x10 I=49912 F=0x4000 T=44 SYN (#33)
> Apr 10 00:21:24 piquet kernel: Packet log: ppp0-in DENY ppp0 PROTO=6
>203.161.231.1:1532 203.63.73.52:53 L=60 S=0x10 I=50325 F=0x4000 T=44 SYN (#33)
> Apr 10 00:38:19 piquet kernel: Packet log: ppp0-in DENY ppp0 PROTO=6
>163.29.17.77:1316 203.63.73.52:53 L=60 S=0x10 I=38154 F=0x4000 T=46 SYN (#33)
>
> and as you can see its from different machines too!
What, exactly, is weird about it?
It's coming in from ports 1532 & 1316, and going to port 53.
Port 53 is DNS - which could possibly - likely even - be an attempt to
probe for a buggy version of BIND in an attempt to trojan in through it.
Which bit is worrying you?
DaZZa
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
