Security Basics mailing list archives
Re: Ipchains Question / Seeking Information.
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Wed, 16 Oct 2002 03:47:37 +0530
On 08/10/02 14:06 -0400, Chris S wrote:
I'm getting a good amount of these DENY's in my logs, but I'm not sure exactly what they mean. Oct 7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 216.178.84.110:80 65.56.237.226:2002 L=48 S=0x00 I=17224 F=0x4000 T=64 (#2)
<snip> The SYN bit is not set, so it looks like this is a TCP response. There was an old post about reading ipchains logs. I can't recall which list it was on though (this one/bugtraq/loganalysis/firewall-wizards).
216.178.84.110 Is the address binded to my webserver. To me it looks like my webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux worm) I could be wrong about this, but im not sure.
Or maybe a simple browser expecting a response?
I have these lines for IPChains so i dont know how or if im infected. Chain input (policy ACCEPT): target prot opt source destination ports DENY tcp ----l- anywhere anywhere any -> 2002 DENY udp ----l- anywhere anywhere any -> 2002 Chain output (policy ACCEPT): target prot opt source destination ports DENY udp ----l- anywhere anywhere any -> 2002 DENY tcp ----l- anywhere anywhere any -> 2002
You aren't looking for connections being initiated from your box, but all connections to port 2002/tcp. I suggest that the tcp rules be modified to look for the initial SYN bit set too, or you upgrade to iptables. You are probably looking at a webserver response to a perfectly normal query. Devdas Bhagat
Current thread:
- Ipchains Question / Seeking Information. Chris S (Oct 15)
- RE: Ipchains Question / Seeking Information. Andrew H. Turner (Oct 16)
- Re: Ipchains Question / Seeking Information. Steve Bremer (Oct 16)
- Re: Ipchains Question / Seeking Information. Devdas Bhagat (Oct 16)
- <Possible follow-ups>
- Ipchains Question / Seeking Information. Robert Larson (Oct 17)