Security Incidents mailing list archives

strange entrys in /var/log/messages

From: benr () FRESHFOOD NET AU (Ben Russell)
Date: Wed, 12 Jan 2000 13:37:35 +1100


Hi,
I was reading my messages log today and came across these entrys...
the packet activity started on the 8th of december at 17:43... this first
round of packets lasted
about an hour... the packets seem to come in groups of four about every 5
minutes... sometimes 1 minute intervals..

I read /etc/services and it says that these are bootp client and server
ports but I have no bootp servers anywhere.

A second round of packets started at Dec 9, 13:40 and lasted until Dec 10,
09:55 ... the same pattern, groups of
4 at 5 minute intervals...

any feedback would be appreciated,

thanx,
br.

Dec 10 09:44:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3075 F=0x0000 T=128
Dec 10 09:44:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3331 F=0x0000 T=128
Dec 10 09:44:53 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3587 F=0x0000 T=128
Dec 10 09:44:59 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=3843 F=0x0000 T=128
Dec 10 09:50:05 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4099 F=0x0000 T=128
Dec 10 09:50:11 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4355 F=0x0000 T=128
Dec 10 09:50:17 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4611 F=0x0000 T=128
Dec 10 09:50:23 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=4867 F=0x0000 T=128
Dec 10 09:55:29 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5123 F=0x0000 T=128
Dec 10 09:55:35 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5379 F=0x0000 T=128
Dec 10 09:55:41 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5635 F=0x0000 T=128
Dec 10 09:55:47 myhostname kernel: IP fw-in deny eth0 UDP 0.0.0.0:68
255.255.255.255:67 L=328 S=0x00 I=5891 F=0x0000 T=128

Current thread:

Large quantity of traffic from amazon.com - source_port 3000, (continued)
- - - Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
    - Re: Port 4 Lutz Pressler (Jan 12)
    - Re: Port 4 Vanja Hrustic (Jan 13)
    - New vulnerability (fwd) Alfred Huger (Jan 13)
    - An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
    - Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
    - Maillog Suspicious flirtingboy20 (Jan 11)
    - Re: Maillog Suspicious David A. Bandel (Jan 11)
    - Re: Maillog Suspicious James Phillips (Jan 11)
    - Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
    - strange entrys in /var/log/messages Ben Russell (Jan 11)
    - Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
    - Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
    - Re: Maillog Suspicious Jose Nazario (Jan 11)
    - Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
    - Attempted port scans. Steve (Jan 11)
    - Re: Maillog Suspicious Khetan Gajjar (Jan 11)
    - Text file monitor? Luther Trammel (Jan 12)
    - Re: Text file monitor? James A Kennemore Jr (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)

(Thread continues...)