Re: Ipchains Question / Seeking Information.

[Devdas Bhagat <dvb () users sourceforge net>]

On 08/10/02 14:06 -0400, Chris S wrote:
> I'm getting a good amount of these DENY's in my logs, but I'm not sure 
> exactly what they mean. 
>
> Oct  7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 
> 216.178.84.110:80 65.56.237.226:2002 L=48 S=0x00 I=17224 F=0x4000 T=64 (#2)
<snip>
The SYN bit is not set, so it looks like this is a TCP response. There
was an old post about reading ipchains logs.
I can't recall which list it was on though (this
one/bugtraq/loganalysis/firewall-wizards).

> 216.178.84.110 Is the address binded to my webserver. To me it looks like my 
> webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux 
> worm) I could be wrong about this, but im not sure. 
Or maybe a simple browser expecting a response? 

> I have these lines for IPChains so i dont know how or if im infected.
> Chain input (policy ACCEPT):
> target     prot opt     source                destination           ports
> DENY       tcp  ----l-  anywhere             anywhere              any ->   
> 2002
> DENY       udp  ----l-  anywhere             anywhere              any ->   
> 2002 
>
> Chain output (policy ACCEPT):
> target     prot opt     source                destination           ports
> DENY       udp  ----l-  anywhere             anywhere              any ->   
> 2002
> DENY       tcp  ----l-  anywhere             anywhere              any ->   
> 2002 
You aren't looking for connections being initiated from your box, but
all connections to port 2002/tcp. I suggest that the tcp rules be
modified to look for the initial SYN bit set too, or you upgrade to
iptables.
You are probably looking at a webserver response to a perfectly normal
query.

Devdas Bhagat