On Wed, 13 Jun 2001, Cam Ellison wrote:
> I managed to get it into more readable format -- the text appears below
> the copied message.
>
> Cam
>
>
> Cam Ellison wrote:
> >
> > I haven't had much of a firewall set up (laziness coupled with too
> > little time), but I added a few lines to ipchains the other day, mostly
> > a set that blocked 192.168.x.x from outside the network. Lo! and
> > behold! I get these interesting entries that suggest my system has been
> > compromised. The attached text is from syslog, and has been repeated,
> > along with other variants, ever since I added those lines.
> >
> > What should I do now? There is no obvious way in which my system has
> > been affected, but I notice that these entries are use the bootp ports
> > (67 and 68), so I am quite suspicious.
> >
> > Any ideas would be most helpful.
> >
> > Sorry for using an attachment -- I still haven't gotten around to
> > jettisoning Netscape and using a proper mail system. Maybe security
> > ought to come first?
Looks like it.
> >
> >
> > ------------------------------------------------------------------------
> >
> > Jun 13 16:44:28 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 192.168.177.11:67 255.255.255.255:68 L=328 S=0x00 I=48460
> > F=0x0000 T=128 (#1)
This is a dhcp reply (bootp). In isolation, nothing to worry about, but
when you consider the source address is private, it starts to look kind of
weird...
> > Jun 13 17:08:47 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 192.168.0.1:5005 255.255.255.255:5005 L=44 S=0x00 I=27137
> > F=0x0000 T=128 (#1)
... and this is an odd one... broadcast to 5005... examine the output of
"netstat -ua" to see if treehouse would have responded to this, and use
"lsof -i :5005" to find out which process(es) is(are) handling that port.
> > Jun 13 17:41:33 treehouse kernel: Packet log: eth-in DENY eth1
> > PROTO=17 192.168.190.3:1052 255.255.255.255:38293 L=44 S=0x00 I=46693
> > F=0x0000 T=32 (#1)
Another odd one. The fact that these all have different private
source addresses is also strange.
The fact that these are not directed at your ip address in particular is a
little comforting, but someone is playing strange games.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
