Security Basics mailing list archives

RE: Ipchains Question / Seeking Information.

From: "Andrew H. Turner" <aturner () bbn com>
Date: Tue, 15 Oct 2002 15:59:53 -0400

You might try checking this out:
http://www.cert.org/advisories/CA-2002-27.html

Look like you have the slapper worm...

Hope this helps.

-Andrew


________________________________________
Andrew H. Turner <aturner () bbn com>
BBN Technologies, a Verizon Company
1300 N. 17th Street, Suite 1200
Arlington, Virginia 22209


-----Original Message-----
From: Chris S [mailto:chris () jynx net]
Sent: Tuesday, October 08, 2002 2:06 PM
To: security-basics () securityfocus com
Subject: Ipchains Question / Seeking Information.


I'm getting a good amount of these DENY's in my logs, but I'm not sure 
exactly what they mean. 

Oct  7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17224 F=0x4000 T=64 (#2)
Oct  7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17805 F=0x4000 T=64 (#2)
Oct  7 19:51:48 furby kernel: Packet log: output DENY eth0 PROTO=6 
216.178.84.110:80 65.56.237.226:2002 L=48 S
=0x00 I=17842 F=0x4000 T=64 (#2) 

216.178.84.110 Is the address binded to my webserver. To me it looks like my 
webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux 
worm) I could be wrong about this, but im not sure. 

I have these lines for IPChains so i dont know how or if im infected.
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ----l-  anywhere             anywhere              any ->   
2002
DENY       udp  ----l-  anywhere             anywhere              any ->   
2002 

Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       udp  ----l-  anywhere             anywhere              any ->   
2002
DENY       tcp  ----l-  anywhere             anywhere              any ->   
2002 

I'm also up todate on Openssl.
My question is,   Is my webserver trying to make connections going out on 
these ports, or is my webserver being attacked on these ports. 

 


Chris S.
www.jynx.net
chris () jynx net

Current thread:

Ipchains Question / Seeking Information. Chris S (Oct 15)
- RE: Ipchains Question / Seeking Information. Andrew H. Turner (Oct 16)
- Re: Ipchains Question / Seeking Information. Steve Bremer (Oct 16)
- Re: Ipchains Question / Seeking Information. Devdas Bhagat (Oct 16)
- <Possible follow-ups>
- Ipchains Question / Seeking Information. Robert Larson (Oct 17)