Security Incidents mailing list archives
Re: strange entrys in /var/log/messages
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 12 Jan 2000 15:36:22 -0800
I'll bet that you have a DSL/cable-modem connection to the Internet. The ISP puts your connection onto an Ethernet VLAN over an ATM backbone. The upshot is that you will see lots of broadcasts in your router logs from your "neighbors". The "bootp" in question is really DHCP (DHCP is just an extension to BOOTP), and are probably Windows machines. Rob. PS: This issue is discussed in a tad bit more detail at: http://www.robertgraham.com/pubs/firewall-seen.html#port68 -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Ben Russell Sent: Tuesday, January 11, 2000 6:38 PM To: INCIDENTS () securityfocus com Subject: strange entrys in /var/log/messages Hi, I was reading my messages log today and came across these entrys... the packet activity started on the 8th of december at 17:43... this first round of packets lasted about an hour... the packets seem to come in groups of four about every 5 minutes... sometimes 1 minute intervals.. I read /etc/services and it says that these are bootp client and server ports but I have no bootp servers anywhere. A second round of packets started at Dec 9, 13:40 and lasted until Dec 10, 09:55 ... the same pattern, groups of 4 at 5 minute intervals... any feedback would be appreciated, thanx, br. Dec 10 09:44:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3075 F=0x0000 T=128 Dec 10 09:44:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3331 F=0x0000 T=128 Dec 10 09:44:53 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3587 F=0x0000 T=128 Dec 10 09:44:59 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=3843 F=0x0000 T=128 Dec 10 09:50:05 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4099 F=0x0000 T=128 Dec 10 09:50:11 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4355 F=0x0000 T=128 Dec 10 09:50:17 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4611 F=0x0000 T=128 Dec 10 09:50:23 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=4867 F=0x0000 T=128 Dec 10 09:55:29 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5123 F=0x0000 T=128 Dec 10 09:55:35 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5379 F=0x0000 T=128 Dec 10 09:55:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5635 F=0x0000 T=128 Dec 10 09:55:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68 255.255.255.255:67 L=328 S=0x00 I=5891 F=0x0000 T=128
Current thread:
- Re: Port 4, (continued)
- Re: Port 4 Vanja Hrustic (Jan 13)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Port 4 Daniel Jacobowitz (Jan 11)