Security Incidents mailing list archives

Re: strange entrys in /var/log/messages

From: chris.wilson () ESECURITYINC COM (Christopher Wilson)
Date: Wed, 12 Jan 2000 17:38:36 -0500


Hi Ben,

No attack there--someone has a client (probably diskless) attempting to
initialize its networking functions using BOOTP, and the client is on the
same subnet as your firewall's eth0 interface.

The BOOTP requests are being *broadcast* to the entire local subnet where
your firewall's eth0 interface resides (hence the 255.255.255.255
destination), which is why your firewall sees the traffic.  The fact that
you don't have any BOOTP servers doesn't matter from your firewall's
perspective, and it is correctly blocking the traffic.

-Chris

Christopher Wilson
e-Security, Inc.
700 S. Babcock St., Suite 200
Melbourne, FL  32901
Email:  chris.wilson () esecurityinc com
PGP Fingerprint:
3D85 E2DF 369F E7AA 0859  737E 2E4F 768A D600 9B25

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Ben Russell
Sent: Tuesday, January 11, 2000 9:38 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: [INCIDENTS] strange entrys in /var/log/messages

[snip]

I read /etc/services and it says that these are bootp client and server
ports but I have no bootp servers anywhere.

[snip]

Dec 10 09:44:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3075 F=0x0000 T=128
Dec 10 09:44:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3331 F=0x0000 T=128
Dec 10 09:44:53 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3587 F=0x0000 T=128
Dec 10 09:44:59 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3843 F=0x0000 T=128
Dec 10 09:50:05 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4099 F=0x0000 T=128
Dec 10 09:50:11 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4355 F=0x0000 T=128
Dec 10 09:50:17 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4611 F=0x0000 T=128
Dec 10 09:50:23 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4867 F=0x0000 T=128
Dec 10 09:55:29 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5123 F=0x0000 T=128
Dec 10 09:55:35 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5379 F=0x0000 T=128
Dec 10 09:55:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5635 F=0x0000 T=128
Dec 10 09:55:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5891 F=0x0000 T=128

Current thread:

Re: Port 4, (continued)
- - - Re: Port 4 Lutz Pressler (Jan 12)
    - Re: Port 4 Vanja Hrustic (Jan 13)
    - New vulnerability (fwd) Alfred Huger (Jan 13)
    - An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
    - Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
    - Maillog Suspicious flirtingboy20 (Jan 11)
    - Re: Maillog Suspicious David A. Bandel (Jan 11)
    - Re: Maillog Suspicious James Phillips (Jan 11)
    - Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
    - strange entrys in /var/log/messages Ben Russell (Jan 11)
    - Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
    - Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
    - Re: Maillog Suspicious Jose Nazario (Jan 11)
    - Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
    - Attempted port scans. Steve (Jan 11)
    - Re: Maillog Suspicious Khetan Gajjar (Jan 11)
    - Text file monitor? Luther Trammel (Jan 12)
    - Re: Text file monitor? James A Kennemore Jr (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)
  - Re: Port 4 CyberPsychotic (Jan 11)

(Thread continues...)