strange packets on interface...

This is a discussion on strange packets on interface... within the Linux Security forums, part of the System Security and Security Related category; Can anyone explain what this mean.. My ip number is totaly diferent from 194.249.38.255.. How that this ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page strange packets on interface...

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-19-2004
AR
 
Posts: n/a
Default strange packets on interface...
Can anyone explain what this mean.. My ip number is totaly diferent from
194.249.38.255.. How that this packets come to my inetcard..

Wed Jan 14 12:33:27 2004; UDP; eth0; 140 bytes; from
cmb8-158.dial-up.arnes.si:1322 to 194.249.38.255:39213 Wed Jan 14 12:33:28
2004; UDP; eth0; 852 bytes; from cmb8-158.dial-up.arnes.si:1323 to
194.249.38.255:39213 Wed Jan 14 12:33:29 2004; UDP; eth0; 296 bytes; from
cmb8-158.dial-up.arnes.si:1324 to 194.249.38.255:39213 Wed Jan 14 12:33:29
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1325 to
194.249.38.255:39213 Wed Jan 14 12:33:31 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1326 to 194.249.38.255:39213 Wed Jan 14 12:33:32
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1327 to
194.249.38.255:39213 Wed Jan 14 12:33:32 2004; UDP; eth0; 140 bytes; from
cmb8-158.dial-up.arnes.si:1328 to 194.249.38.255:39213 Wed Jan 14 12:33:34
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1329 to
194.249.38.255:39213 Wed Jan 14 12:33:34 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1330 to 194.249.38.255:39213 Wed Jan 14 12:33:34
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1331 to
194.249.38.255:39213 Wed Jan 14 12:33:37 2004; UDP; eth0; 296 bytes; from
cmb8-158.dial-up.arnes.si:1332 to 194.249.38.255:39213 Wed Jan 14 12:33:37
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1333 to
194.249.38.255:39213 Wed Jan 14 12:33:37 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1334 to 194.249.38.255:39213 Wed Jan 14 12:33:39
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1335 to
194.249.38.255:39213 Wed Jan 14 12:33:39 2004; UDP; eth0; 140 bytes; from
cmb8-158.dial-up.arnes.si:1336 to 194.249.38.255:39213 Wed Jan 14 12:33:41
2004; UDP; eth0; 852 bytes; from cmb8-158.dial-up.arnes.si:1337 to
194.249.38.255:39213 Wed Jan 14 12:33:42 2004; UDP; eth0; 296 bytes; from
cmb8-158.dial-up.arnes.si:1338 to 194.249.38.255:39213 Wed Jan 14 12:33:42
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1339 to
194.249.38.255:39213 Wed Jan 14 12:33:44 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1340 to 194.249.38.255:39213 Wed Jan 14 12:33:44
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1341 to
194.249.38.255:39213 Wed Jan 14 12:33:44 2004; UDP; eth0; 140 bytes; from
cmb8-158.dial-up.arnes.si:1342 to 194.249.38.255:39213 Wed Jan 14 12:33:47
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1343 to
194.249.38.255:39213 Wed Jan 14 12:33:47 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1344 to 194.249.38.255:39213 Wed Jan 14 12:33:47
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1345 to
194.249.38.255:39213 Wed Jan 14 12:33:49 2004; UDP; eth0; 296 bytes; from
cmb8-158.dial-up.arnes.si:1346 to 194.249.38.255:39213 Wed Jan 14 12:33:49
2004; UDP; eth0; 140 bytes; from cmb8-158.dial-up.arnes.si:1347 to
194.249.38.255:39213 Wed Jan 14 12:33:50 2004; UDP; eth0; 852 bytes; from
cmb8-158.dial-up.arnes.si:1348 to 194.249.38.255:39213 Wed Jan 14 12:33:52
2004; UDP; eth0; 296 bytes; from cmb8-158.dial-up.arnes.si:1349 to
194.249.38.255:39213

Reply With Quote
  #2 (permalink)  
Old 01-19-2004
/dev/rob0
 
Posts: n/a
Default Re: strange packets on interface...
In article <pan.2004.01.19.10.07.25.786781@email.not>, AR wrote:
> Can anyone explain what this mean..

Rather difficult considering that we don't know how these were logged,
and in view of the terrible formatting.

> My ip number is totaly diferent from
> 194.249.38.255.. How that this packets come to my inetcard..

Your IP at the time was this:
$ host cmb8-158.dial-up.arnes.si
cmb8-158.dial-up.arnes.si has address 194.249.38.158
DNS suggests it's a dialup node, but it's on your eth0 interface? If
it's Ethernet, 194.249.38.255 might be the broadcast address.

> Wed Jan 14 12:33:27 2004; UDP; eth0; 140 bytes; from
> cmb8-158.dial-up.arnes.si:1322 to 194.249.38.255:39213 Wed Jan 14 12:33:28
> 2004; UDP; eth0; 852 bytes; from cmb8-158.dial-up.arnes.si:1323 to
> 194.249.38.255:39213 Wed Jan 14 12:33:29 2004; UDP; eth0; 296 bytes; from
> cmb8-158.dial-up.arnes.si:1324 to 194.249.38.255:39213 Wed Jan 14 12:33:29

The origin ports seem to be incrementing, whilst the destination port is
fixed. Were you doing some kind of port scan?

Oh well, enough of this for today. You can't make a post like this and
expect to get much useful information, because you gave us nothing to
work with.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply
Reply With Quote
  #3 (permalink)  
Old 01-19-2004
AR
 
Posts: n/a
Default Re: strange packets on interface...
On Mon, 19 Jan 2004 08:41:38 -0800, /dev/rob0 wrote:

> In article <pan.2004.01.19.10.07.25.786781@email.not>, AR wrote:
>> Can anyone explain what this mean..
>
> Rather difficult considering that we don't know how these were logged,
> and in view of the terrible formatting.

This packets are logged on my external interface. Im on cable, and IP
address starts with 82.xxx.xxx.xxx. I have nothing to do with this
packets. They are just logged.

>> My ip number is totaly diferent from
>> 194.249.38.255.. How that this packets come to my inetcard..
>
> Your IP at the time was this:
> $ host cmb8-158.dial-up.arnes.si
> cmb8-158.dial-up.arnes.si has address 194.249.38.158

NO this is NOT my ip address..

> DNS suggests it's a dialup node, but it's on your eth0 interface? If
> it's Ethernet, 194.249.38.255 might be the broadcast address.

Yes, its on external Ethernet card. If 194.249.38.255 is broadcast,
why then they end on my inetcard, which is on completly different network,
ip.

>
>> Wed Jan 14 12:33:27 2004; UDP; eth0; 140 bytes; from
>> cmb8-158.dial-up.arnes.si:1322 to 194.249.38.255:39213 Wed Jan 14 12:33:28
>> 2004; UDP; eth0; 852 bytes; from cmb8-158.dial-up.arnes.si:1323 to
>> 194.249.38.255:39213 Wed Jan 14 12:33:29 2004; UDP; eth0; 296 bytes; from
>> cmb8-158.dial-up.arnes.si:1324 to 194.249.38.255:39213 Wed Jan 14 12:33:29
>
> The origin ports seem to be incrementing, whilst the destination port is
> fixed. Were you doing some kind of port scan?

Is this kind of DoS or something.. constantly flooding my external
interface with UDP packages... Definetly they all end on 39213 port, and
source port is incrementing.., BUT source addres is on different network
than my addres and destination addres is also on different network... so
why they end on my interface??? This is going on for days... making me
little nervous...

>
> Oh well, enough of this for today. You can't make a post like this and
> expect to get much useful information, because you gave us nothing to
> work with.

Reply With Quote
  #4 (permalink)  
Old 01-20-2004
Ben Measures
 
Posts: n/a
Default Re: strange packets on interface...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AR wrote:
| Is this kind of DoS or something.. constantly flooding my external
| interface with UDP packages... Definetly they all end on 39213 port, and
| source port is incrementing.., BUT source addres is on different network
| than my addres and destination addres is also on different network... so
| why they end on my interface??? This is going on for days... making me
| little nervous...

Quite likely its something simple like a broken router misdirecting
packets to you. As to why its only *from* that address I don't know.

- --
Ben M.

- ----------------
What are Software Patents for?
To protect the small enterprise from bigger companies.

What do Software Patents do?
In its current form, they protect only companies with
big legal departments as they:
a.) Patent everything no matter how general
b.) Sue everybody. Even if the patent can be argued
invalid, small companies can ill-afford the
typical $500k cost of a law-suit (not to mention
years of harrasment).

Don't let them take away your right to program
whatever you like. Make a stand on Software Patents
before its too late.

Read about the ongoing battlUntitled 1e at http://swpat.ffii.org/
- ----------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFADINOkY9EF6QEdTkRAjwSAKCEQvy0qRj4Ru5hamiHzx JK2Y7J4gCgi5dc
ml5OabCAx1XBim7V+mQ9nYE=
=28xr
-----END PGP SIGNATURE-----

Reply With Quote
  #5 (permalink)  
Old 01-21-2004
P Gentry
 
Posts: n/a
Default Re: strange packets on interface...
Ben Measures <saint_abroadremove@removehotmail.com> wrote in message news:<dr%Ob.390$ff5.370@news-binary.blueyonder.co.uk>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> AR wrote:
> | Is this kind of DoS or something.. constantly flooding my external
> | interface with UDP packages... Definetly they all end on 39213 port, and
> | source port is incrementing.., BUT source addres is on different network
> | than my addres and destination addres is also on different network... so
> | why they end on my interface??? This is going on for days... making me
> | little nervous...
>
> Quite likely its something simple like a broken router misdirecting
> packets to you. As to why its only *from* that address I don't know.
>
> - --
> Ben M.
[snip]

It would certainly seem to be broken "routing" for sure, and the break
is not too far away. It may have started "far away", but somehow it
is propogating to you -- from your ISP! I would contact them to see
what's going on.

In the meantime, for your amusement I tried this from a quick-n-dirty
whois on the source:
http://www.whoisd.com/google-alexa.p...arnes.si&GO=GO
and somewhat more info:
http://www.whoisd.com/rootns.php?domain=arnes.si >>output below

ROOT Server Status for domain: arnes.si
NS2.NIC.FR
kanin.arnes.si
nanos.arnes.si
niobe.ijs.si
SCSNMS.SWITCH.CH
niobe.ijs.si
kanin.arnes.si
nanos.arnes.si
SUNIC.SUNET.SE
niobe.ijs.si
kanin.arnes.si
nanos.arnes.si
NS.UU.NET
kanin.arnes.si
nanos.arnes.si
niobe.ijs.si
NS-EXT.VIX.COM
nanos.arnes.si
niobe.ijs.si
kanin.arnes.si
SREBRNJAK.arnes.si
21600
niobe.ijs.si
kanin.arnes.si
nanos.arnes.si
SSS.arnes.si
nanos.arnes.si
niobe.ijs.si
kanin.arnes.si
NS1.arnes.si
nanos.arnes.si
niobe.ijs.si
kanin.arnes.si

have fun,
prg
email above disabled
Reply With Quote
  #6 (permalink)  
Old 01-21-2004
P Gentry
 
Posts: n/a
Default Re: strange packets on interface...
Ben Measures <saint_abroadremove@removehotmail.com> wrote in message news:<dr%Ob.390$ff5.370@news-binary.blueyonder.co.uk>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> AR wrote:
> | Is this kind of DoS or something.. constantly flooding my external
> | interface with UDP packages... Definetly they all end on 39213 port, and
> | source port is incrementing.., BUT source addres is on different network
> | than my addres and destination addres is also on different network... so
> | why they end on my interface??? This is going on for days... making me
> | little nervous...
>
> Quite likely its something simple like a broken router misdirecting
> packets to you. As to why its only *from* that address I don't know.
>
> - --
> Ben M.
>

A ps followup to previous post -- I couldn't resist.
global Google search:
"udp port 39213" << with quotes
first hit leads to:
http://cert.uni-stuttgart.de/archive.../msg00266.html
which leads to:
http://www.google.com/search?q=Sygat...UTF-8&oe=UTF-8

Could it be your next door neighbor?

fun
prg
email above disabled
Reply With Quote
  #7 (permalink)  
Old 01-21-2004
AR
 
Posts: n/a
Default Re: strange packets on interface...
On Tue, 20 Jan 2004 20:30:16 -0800, P Gentry wrote:

Looks like my ISP provider also provides service for arnes.si, which is
different organisation. This ISP provider is cable operator and connect
arnes users to their network.. so we are on same network with different ip
addresses.. ??? ;)))
Alex


> Ben Measures <saint_abroadremove@removehotmail.com> wrote in message
> news:<dr%Ob.390$ff5.370@news-binary.blueyonder.co.uk>...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> AR wrote:
>> | Is this kind of DoS or something.. constantly flooding my external
>> | interface with UDP packages... Definetly they all end on 39213 port,
>> | and source port is incrementing.., BUT source addres is on different
>> | network than my addres and destination addres is also on different
>> | network... so why they end on my interface??? This is going on for
>> | days... making me little nervous...
>>
>> Quite likely its something simple like a broken router misdirecting
>> packets to you. As to why its only *from* that address I don't know.
>>
>> - --
>> Ben M.
> [snip]
>
> It would certainly seem to be broken "routing" for sure, and the break
> is not too far away. It may have started "far away", but somehow it is
> propogating to you -- from your ISP! I would contact them to see what's
> going on.
>
> In the meantime, for your amusement I tried this from a quick-n-dirty
> whois on the source:
> http://www.whoisd.com/google-alexa.p...arnes.si&GO=GO and
> somewhat more info:
> http://www.whoisd.com/rootns.php?domain=arnes.si >>output below

Reply With Quote
  #8 (permalink)  
Old 01-21-2004
P Gentry
 
Posts: n/a
Default Re: strange packets on interface...
AR <ar@e-mail.si> wrote in message news:<pan.2004.01.21.09.26.29.334926@e-mail.si>...
> On Tue, 20 Jan 2004 20:30:16 -0800, P Gentry wrote:
>
> Looks like my ISP provider also provides service for arnes.si, which is
> different organisation. This ISP provider is cable operator and connect
> arnes users to their network.. so we are on same network with different ip
> addresses.. ??? ;)))
> Alex
>

That would be in accord with what I found on some of the Alexa usage
stats pages -- a few were in English. In fact, I was rather surprised
just how widespread a "presence" they have. And some of the Google
pages showed concerns/traffic similar to yours, but consensus seems to
have been that it was normal/harmless.

regards
prg
email above disabled


>
> > Ben Measures <saint_abroadremove@removehotmail.com> wrote in message
> > news:<dr%Ob.390$ff5.370@news-binary.blueyonder.co.uk>...
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> AR wrote:
> >> | Is this kind of DoS or something.. constantly flooding my external
> >> | interface with UDP packages... Definetly they all end on 39213 port,
> >> | and source port is incrementing.., BUT source addres is on different
> >> | network than my addres and destination addres is also on different
> >> | network... so why they end on my interface??? This is going on for
> >> | days... making me little nervous...
> >>
> >> Quite likely its something simple like a broken router misdirecting
> >> packets to you. As to why its only *from* that address I don't know.
> >>
> >> - --
> >> Ben M.
> > [snip]
> >
> > It would certainly seem to be broken "routing" for sure, and the break
> > is not too far away. It may have started "far away", but somehow it is
> > propogating to you -- from your ISP! I would contact them to see what's
> > going on.
> >
> > In the meantime, for your amusement I tried this from a quick-n-dirty
> > whois on the source:
> > http://www.whoisd.com/google-alexa.p...arnes.si&GO=GO and
> > somewhat more info:
> > http://www.whoisd.com/rootns.php?domain=arnes.si >>output below
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:59 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0