Security Incidents mailing list archives
Re: strange entrys in /var/log/messages
From: chris.wilson () ESECURITYINC COM (Christopher Wilson)
Date: Wed, 12 Jan 2000 17:38:36 -0500
Hi Ben, No attack there--someone has a client (probably diskless) attempting to initialize its networking functions using BOOTP, and the client is on the same subnet as your firewall's eth0 interface. The BOOTP requests are being *broadcast* to the entire local subnet where your firewall's eth0 interface resides (hence the 255.255.255.255 destination), which is why your firewall sees the traffic. The fact that you don't have any BOOTP servers doesn't matter from your firewall's perspective, and it is correctly blocking the traffic. -Chris Christopher Wilson e-Security, Inc. 700 S. Babcock St., Suite 200 Melbourne, FL 32901 Email: chris.wilson () esecurityinc com PGP Fingerprint: 3D85 E2DF 369F E7AA 0859 737E 2E4F 768A D600 9B25 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Ben Russell Sent: Tuesday, January 11, 2000 9:38 PM To: INCIDENTS () SECURITYFOCUS COM Subject: [INCIDENTS] strange entrys in /var/log/messages [snip] I read /etc/services and it says that these are bootp client and server ports but I have no bootp servers anywhere. [snip] Dec 10 09:44:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3075 F=0x0000 T=128 Dec 10 09:44:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3331 F=0x0000 T=128 Dec 10 09:44:53 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3587 F=0x0000 T=128 Dec 10 09:44:59 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3843 F=0x0000 T=128 Dec 10 09:50:05 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4099 F=0x0000 T=128 Dec 10 09:50:11 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4355 F=0x0000 T=128 Dec 10 09:50:17 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4611 F=0x0000 T=128 Dec 10 09:50:23 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4867 F=0x0000 T=128 Dec 10 09:55:29 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5123 F=0x0000 T=128 Dec 10 09:55:35 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5379 F=0x0000 T=128 Dec 10 09:55:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5635 F=0x0000 T=128 Dec 10 09:55:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5891 F=0x0000 T=128
Current thread:
- Re: Port 4, (continued)
- Re: Port 4 Lutz Pressler (Jan 12)
- Re: Port 4 Vanja Hrustic (Jan 13)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)