Trojan on my Linux box????

A girl on our network has complained to our IT admin. that her computer
has been getting probed by my computer (according to Norton's program).
I've been able to figure out that it only happens when I play
America's Army. My log files look like this ... Note, I'm setup as DHCP
so my IP is probably different now....

May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=86 DF PROTO=UDP SPT=33029 DPT=7864 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=87 DF PROTO=UDP SPT=33029 DPT=7865 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=88 DF PROTO=UDP SPT=33029 DPT=7866 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=89 DF PROTO=UDP SPT=33029 DPT=7867 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=90 DF PROTO=UDP SPT=33029 DPT=7868 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=91 DF PROTO=UDP SPT=33029 DPT=7869 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=92 DF PROTO=UDP SPT=33029 DPT=7870 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=93 DF PROTO=UDP SPT=33029 DPT=7871 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=94 DF PROTO=UDP SPT=33029 DPT=7872 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=95 DF PROTO=UDP SPT=33029 DPT=7873 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=96 DF PROTO=UDP SPT=33029 DPT=7874 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=97 DF PROTO=UDP SPT=33029 DPT=7875 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=98 DF PROTO=UDP SPT=33029 DPT=7876 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=99 DF PROTO=UDP SPT=33029 DPT=7877 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00
TTL=64 ID=100 DF PROTO=UDP SPT=33029 DPT=7878 LEN=18
May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=34 TOS=0x00 PREC=0x00
TTL=64 ID=858 DF PROTO=UDP SPT=9778 DPT=8777 LEN=14
May 22 16:20:57 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=34 TOS=0x00 PREC=0x00
TTL=64 ID=519 DF PROTO=UDP SPT=9777 DPT=8777 LEN=14



Can you tell me if this is serious or not? I have shorewall set up and
also have snort running but I really don't know what the heck I'm doing
with either :-). Please try to explain as if you are talking to your
grandmother as IT gibberish doesn't mean too much to me :-)

On Mon, 24 May 2004 14:14:36 -0500, nino wrote:

> A girl on our network has complained to our IT admin. that her computer
> has been getting probed by my computer (according to Norton's program).
> I've been able to figure out that it only happens when I play
> America's Army. My log files look like this ... Note, I'm setup as DHCP
> so my IP is probably different now....

<snip logs>

> Can you tell me if this is serious or not? I have shorewall set up and
> also have snort running but I really don't know what the heck I'm doing
> with either :-). Please try to explain as if you are talking to your
> grandmother as IT gibberish doesn't mean too much to me :-)

Its AA looking for servers on the LAN. If the girls firewall is
complaining about this, its broken. The queries are being sent (correctly)
to the networks broadcast address.

Theres a few possible solutions to pursue.

1) Educate the girl in the correct usage of her firewall.
2) Don't play AA.
3) Disable the Lan query stuff in AA (not sure if its possible).

--
-Geoff

On 2004-05-24, Geoffrey King <gking@evildomain.dyndns.org> wrote:

> On Mon, 24 May 2004 14:14:36 -0500, nino wrote:
>
>> A girl on our network has complained to our IT admin. that her computer
>> has been getting probed by my computer (according to Norton's program).
>> I've been able to figure out that it only happens when I play
>> America's Army. My log files look like this ... Note, I'm setup as DHCP
>> so my IP is probably different now....
>
><snip logs>
>
>> Can you tell me if this is serious or not? I have shorewall set up and
>> also have snort running but I really don't know what the heck I'm doing
>> with either :-). Please try to explain as if you are talking to your
>> grandmother as IT gibberish doesn't mean too much to me :-)

Version 2.00 ;)

> Its AA looking for servers on the LAN. If the girls firewall is
> complaining about this, its broken. The queries are being sent (correctly)
> to the networks broadcast address.

> Theres a few possible solutions to pursue:

1) Begin dating the girl. You will forget all about fw logs...
2) Use PS2 for all your gaming needs.
3) Reinstall Windows. It probes other computers in so many ways that
one more port won't be noticable anyway.



--
[jayjwa]======[SkyNet.cz]SystemsMutex===VxL@Atr2====
Your computer is called a *machine*, not a *box*. A
*box* is a term for computers reserved for the likes
of programmers, hackers, and developers.

"nino" <nino@_DeLeTeMe_purdue.edu> wrote in message
news:c8thib$je1$1@mozo.cc.purdue.edu
> A girl on our network has complained to our IT admin. that her
> computer has been getting probed by my computer (according to
> Norton's program). I've been able to figure out that it only
> happens when I play
> America's Army. My log files look like this ... Note, I'm setup as
> DHCP so my IP is probably different now....
>
> May 22 16:20:54 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC= SRC=192.168.1.2 DST=255.255.255.255 LEN=38 TOS=0x00 PREC=0x00

DST (Destination) = 255.255.255.255 means that *every* machine on your LAN
is getting "probed".

If your "IT admin." can't see that, then you have some real problems
brewing. The fact that you're playing games at work is just another
ingredient.


--
use hotmail for email replies

On Mon, 24 May 2004 14:14:36 -0500, nino wrote:

> A girl on our network has complained to our IT admin. that her computer
> has been getting probed by my computer (according to Norton's program).
> I've been able to figure out that it only happens when I play
> America's Army. My log files look like this ...

If you're on DHCP, how does she know it's YOUR computer?!?

Is it because the probing only happens when everyone has turned off
their computers & gone home, except you? :-)

Julia Thorne <rimbaldi@nospam.tld> writes:

> On Mon, 24 May 2004 14:14:36 -0500, nino wrote:
>
>> A girl on our network has complained to our IT admin. that her computer
>> has been getting probed by my computer (according to Norton's program).
>> I've been able to figure out that it only happens when I play
>> America's Army. My log files look like this ...
>
> If you're on DHCP, how does she know it's YOUR computer?!?

DNS or NetBios, take your pick?

~Tim
--
09:31:19 up 174 days, 11:50, 2 users, load average: 0.00, 0.02, 0.01
piglet@stirfried.vegetable.org.uk |Newton and Adam, lost and found,
http://spodzone.org.uk/cesspit/ |The apple must fall to the ground

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-05-25, ynotssor <ynotssor@example.net> wrote:
> The fact that you're playing games at work is just another
> ingredient.

Maybe he's not at work but in a college dormitory.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAs3DohVcNCxZ5ID8RAnbwAJ0f6wCA3kwEVyPx2EUttx +LGKb5TgCgitXm
qz2370hUkYHaoqeDi7kl/Vs=
=H2Rh
-----END PGP SIGNATURE-----

>
> 1) Educate the girl in the correct usage of her firewall.
no way, this girl bites w/big teeth
> 2) Don't play AA.

Sureley, you are kidding.

> 3) Disable the Lan query stuff in AA (not sure if its possible).
>

I'll look into it but I haven't found it yet.

>
> DST (Destination) = 255.255.255.255 means that *every* machine on your LAN
> is getting "probed".
>
> If your "IT admin." can't see that, then you have some real problems
> brewing. The fact that you're playing games at work is just another
> ingredient.
>
>
Well, I'm still a grad student so the line between work/play is blurry :-)