Security Basics mailing list archives
Ipchains Question / Seeking Information.
From: "Chris S" <chris () jynx net>
Date: Tue, 08 Oct 2002 14:06:19 -0400
I'm getting a good amount of these DENY's in my logs, but I'm not sure exactly what they mean. Oct 7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17224 F=0x4000 T=64 (#2)Oct 7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17805 F=0x4000 T=64 (#2)Oct 7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 216.178.84.110:80 65.56.237.226:2002 L=48 S =0x00 I=17842 F=0x4000 T=64 (#2) 216.178.84.110 Is the address binded to my webserver. To me it looks like my webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux worm) I could be wrong about this, but im not sure.
I have these lines for IPChains so i dont know how or if im infected. Chain input (policy ACCEPT): target prot opt source destination portsDENY tcp ----l- anywhere anywhere any -> 2002 DENY udp ----l- anywhere anywhere any -> 2002
Chain output (policy ACCEPT): target prot opt source destination portsDENY udp ----l- anywhere anywhere any -> 2002 DENY tcp ----l- anywhere anywhere any -> 2002
I'm also up todate on Openssl.My question is, Is my webserver trying to make connections going out on these ports, or is my webserver being attacked on these ports.
Chris S. www.jynx.net chris () jynx net
Current thread:
- Ipchains Question / Seeking Information. Chris S (Oct 15)
- RE: Ipchains Question / Seeking Information. Andrew H. Turner (Oct 16)
- Re: Ipchains Question / Seeking Information. Steve Bremer (Oct 16)
- Re: Ipchains Question / Seeking Information. Devdas Bhagat (Oct 16)
- <Possible follow-ups>
- Ipchains Question / Seeking Information. Robert Larson (Oct 17)