Can You Figure this Ou?

This is a discussion on Can You Figure this Ou? within the Linux Security forums, part of the System Security and Security Related category; Fdlix Feb 11 20:19:48 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3 DST=63.191....


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Can You Figure this Ou?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-13-2004
Felix Tilley
 
Posts: n/a
Default Can You Figure this Ou?
Fdlix





Feb 11 20:19:48 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3 DST=63.191.0.122 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9720 DF PROTO=TCP SPT=2328 DPT=1080 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 11 20:19:49 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3 DST=63.191.0.122 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9728 DF PROTO=TCP SPT=2328 DPT=1080 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 11 20:56:04 localhost kernel: IN=ppp0 OUT= MAC= SRC=80.71.71.164 DST=63.191.0.122 LEN=814 TOS=0x00 PREC=0x00 TTL=109 ID=49869 PROTO=UDP SPT=1562 DPT=1026 LEN=794
Feb 11 22:24:36 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97 DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23598 DF PROTO=TCP SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 11 22:24:37 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97 DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23721 DF PROTO=TCP SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 11 22:24:38 localhos

t kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97 DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23775 DF PROTO=TCP SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN
Reply With Quote
  #2 (permalink)  
Old 02-13-2004
David
 
Posts: n/a
Default Re: Can You Figure this Ou?
Felix Tilley wrote:
> Fdlix
>
> Feb 11 20:19:48 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3 DST=63.191.0.122 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9720 DF PROTO=TCP SPT=2328 DPT=1080 WINDOW=16384 RES=0x00 SYN URGP=0
Possibly the DeadHat virus.
It scans three ports 1080, 3127, 3128
http://isc.incidents.org/port_details.html?port=1080

> Feb 11 20:56:04 localhost kernel: IN=ppp0 OUT= MAC= SRC=80.71.71.164 DST=63.191.0.122 LEN=814 TOS=0x00 PREC=0x00 TTL=109 ID=49869 PROTO=UDP SPT=1562 DPT=1026 LEN=794
UDP Port 1026 (And as AFAIK ports 1027, 1028 and 1029) are the
ports for Windows Messenger Popup Spam.
http://isc.incidents.org/port_details.html?port=1026

> Feb 11 22:24:36 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97 DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23598 DF PROTO=TCP SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN URGP=0
Some info at this link has a couple of possibilities for port 17300.
http://isc.incidents.org/port_details.html?port=17300

--
Confucius: He who play in root, eventually kill tree.
Registered with The Linux Counter. http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.24 SMP i686 (GCC) 3.3.2
Uptime: 38 days, 11:16, 2 users, load average: 1.58, 1.80, 1.5
Reply With Quote
  #3 (permalink)  
Old 02-13-2004
NeoSadist
 
Posts: n/a
Default Re: Can You Figure this Ou?
Felix Tilley wrote:

> Fdlix
>
> Feb 11 20:19:48 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3
> DST=63.191.0.122 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9720 DF PROTO=TCP
> SPT=2328 DPT=1080 WINDOW=16384 RES=0x00 SYN URGP=0

This one appears like a random communication coming towards your computer.
It's an incoming connection attempt (SYN).

> Feb 11 20:19:49 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.99.12.3
> DST=63.191.0.122 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9728 DF PROTO=TCP
> SPT=2328 DPT=1080 WINDOW=16384 RES=0x00 SYN URGP=0

Again, seems random to me. But you can look up the source port. IANA says
that this port is:

netrix-sftm 2328/tcp Netrix SFTM
netrix-sftm 2328/udp Netrix SFTM

> Feb 11 20:56:04 localhost kernel: IN=ppp0 OUT= MAC= SRC=80.71.71.164
> DST=63.191.0.122 LEN=814 TOS=0x00 PREC=0x00 TTL=109 ID=49869 PROTO=UDP
> SPT=1562 DPT=1026 LEN=794

This looks like incoming from someone else, but more like it's forwarded (is
this a router/firewall/gateway?). But there's no out adapter. Maybe
someone's trying to route this packet a specific way. It's UDP, so it
could be someone randomly spraying the network...

> Feb 11 22:24:36 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97
> DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23598 DF PROTO=TCP
> SPT=2842 DPT=17300 WINDOW=6424v0 RES=0x00 SYN URGP=0

Again, probably random spraying, but this is a connection attempt. Are the
worms out tonight?

> Feb 11 22:24:37 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97
> DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23721 DF PROTO=TCP
> SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN URGP=0

> Feb 11 22:24:3 localhost kernel: IN=ppp0 OUT= MAC= SRC=81.133.145.97
> DST=63.184.40.212 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=23775 DF PROTO=TCP
> SPT=2842 DPT=17300 WINDOW=64240 RES=0x00 SYN

I've never seen this, but IANA says:

l3-hawk 2842/tcp l3-hawk
l3-hawk 2842/udp l3-hawk

Whatever the heck that is ...

--
Sex is a natural bodily process, like a stroke.

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 12:04 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0