Security Incidents mailing list archives
Odd Firewall Entries
From: v.sweeney () DEXTERUS COM (Vincent Sweeney)
Date: Fri, 21 Apr 2000 00:36:46 +0100
I have suddenly been receiving a lot of odd looking entries, like the examples pasted below, from a total of 4 IP addresses. Its directed at a very public facing Linux server which receives all the usual port scans and attempted exploits. However this is the 1st time I've seen anything like this (repeated non-standard protocol packets sent to the same server) and was wonder if anyone has seen the like before and / or knows any more info? Thanks, Vince. ---- Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54 137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=16 O=0x00000494 (#17) Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17) Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17)
Current thread:
- Odd Firewall Entries Vincent Sweeney (Apr 20)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)
- Re: Odd Firewall Entries Vincent Sweeney (Apr 24)
- <Possible follow-ups>
- Re: Odd Firewall Entries Ed Padin (Apr 24)
- Linuxconf probe Thomas Chiverton (Apr 26)
- Re: Odd Firewall Entries Eric Vyncke (Apr 26)
- traffic logging Jon Burdge (Apr 26)
- Re: traffic logging Lance Spitzner (Apr 27)
- Re: Odd Firewall Entries Robert Graham (Apr 26)
- Re: Odd Firewall Entries Ed Padin (Apr 27)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)