Frightening DMESG messages

kinetik · 02-07-2007, 04:00 AM

Hi All

The following was seen when checking dmesg:

Quote:

TCP: Treason uncloaked! Peer x.x.x.x:30029/80 shrinks window 3496553626:3496561231. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:30029/80 shrinks window 3496619161:3496626091. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:30029/80 shrinks window 3496619161:3496626091. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:13203/80 shrinks window 3860736887:3860737592. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1948/80 shrinks window 2905370866:2905383890. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1639/80 shrinks window 4084714079:4084727947. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1650/80 shrinks window 4078569114:4078583374. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1653/80 shrinks window 4084497852:4084510920. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:4172/80 shrinks window 426375060:426388996. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:4172/80 shrinks window 426375060:426388996. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1121/80 shrinks window 2722953125:2722955665. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:60337/80 shrinks window 826275972:826280817. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:3216/80 shrinks window 835810222:835824308. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:3216/80 shrinks window 835810222:835824308. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:59766/80 shrinks window 820473490:820477335. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:59766/80 shrinks window 820473490:820477335. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:8674/80 shrinks window 828135258:828140778. Repaired.

TCP: drop open request from x.x.x.x/1882

TCP: drop open request from x.x.x.x/1883

TCP: drop open request from x.x.x.x/1886

TCP: drop open request from x.x.x.x/1887

TCP: drop open request from x.x.x.x/1890

TCP: drop open request from x.x.x.x/1891

TCP: drop open request from x.x.x.x/1894

TCP: drop open request from x.x.x.x/1895

TCP: drop open request from x.x.x.x/1898

TCP: drop open request from x.x.x.x/1899

NET: 85 messages suppressed.

TCP: drop open request from x.x.x.x/39241

NET: 8 messages suppressed.

TCP: Treason uncloaked! Peer x.x.x.x:34191/80 shrinks window 4118869649:4118875874. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:13270/80 shrinks window 2545883167:2545886173. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1814/80 shrinks window 4127867883:4127875739. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1814/80 shrinks window 4127867883:4127875739. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:60991/80 shrinks window 1303978017:1303980482. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:60991/80 shrinks window 1303978017:1303980482. Repaired.

TCP: drop open request from x.x.x.x/4412

TCP: drop open request from x.x.x.x/4415

TCP: drop open request from x.x.x.x/4417

TCP: drop open request from x.x.x.x/4418

TCP: drop open request from x.x.x.x/4421

TCP: drop open request from x.x.x.x/4422

TCP: drop open request from x.x.x.x/4425

TCP: drop open request from x.x.x.x/4426

TCP: drop open request from x.x.x.x/4429

TCP: drop open request from x.x.x.x/4433

NET: 55 messages suppressed.

TCP: drop open request from x.x.x.x/33110

NET: 46 messages suppressed.

TCP: drop open request from x.x.x.x/29187

NET: 46 messages suppressed.

TCP: drop open request from x.x.x.x/3005

NET: 13 messages suppressed.

TCP: Treason uncloaked! Peer x.x.x.x:52821/80 shrinks window 3248892447:3248900991. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:52821/80 shrinks window 3248892447:3248900991. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:27436/80 shrinks window 340622942:340625702. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:10785/80 shrinks window 1225101140:1225104605. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:17001/80 shrinks window 421449252:421451132. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:17001/80 shrinks window 421449252:421451132. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:17001/80 shrinks window 421449252:421451132. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:2535/80 shrinks window 2498958095:2498965395. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:2535/80 shrinks window 2498958095:2498965395. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1379/80 shrinks window 602318426:602322100. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:1495/80 shrinks window 718119794:718133767. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:26016/80 shrinks window 3662228774:3662232239. Repaired.

TCP: Treason uncloaked! Peer x.x.x.x:60616/80 shrinks window 2083041462:2083057382. Repaired.

TCP: drop open request from x.x.x.x/2244

TCP: drop open request from x.x.x.x/2245

Has someone tried to compromise my system's security? Please help, paranoia is starting to get a strangle-hold on me...

SciYro · 02-07-2007, 04:54 AM

not sure, but what does the command

Code:

iptables --list|grep Treason

say? (needs to be run as root)

kinetik · 02-07-2007, 05:30 AM

Quote:

Originally Posted by SciYro

not sure, but what does the command

Code:

iptables --list|grep Treason

say? (needs to be run as root)

Hi SciYro, thanks for the reply. The box isn't setup with any firewall (sits behind a firewall though) so no results.

RomKnight · 02-07-2007, 05:36 AM

http://www.redhatmagazine.com/2007/0...y-system-logs/

Read it all, take your conclusions. It came out a few days ago.

druuna · 02-07-2007, 05:38 AM

Hi,

Take a look here:

LQ thread

In (very) short: Somebody is spoofing an IP.

Do google this problem, there's a lot of info about this message.

kinetik · 02-07-2007, 06:06 AM

Thanks all

I'll go through the links provided, thanks for the help everyone

EDIT:

OK, went through the links, seems according to RedHat, this is benign and simply informative messages.
Almost all other sources say this indicates malicious behavior on the remote end...

Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.

Thanks again all!

unSpawn · 02-07-2007, 06:40 AM

My take on this http://www.linuxquestions.org/questi...501#post306501. First note the kernel adjusts since it says "repaired", also note the shown window size doesn't slide to zero, so I'd go for buggy remote first.

Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.
If this keeps occurring: is the source a single IP or a range?
Running an IDS like Snort or Prelude should catch any exploits.
Running P0f should give you a fix on the remote OS.
Else try blocking with either mod_security or iptables.

kinetik · 02-07-2007, 07:02 AM

Quote:

Originally Posted by unSpawn

My take on this http://www.linuxquestions.org/questi...501#post306501. First note the kernel adjusts since it says "repaired", also note the shown window size doesn't slide to zero, so I'd go for buggy remote first.

Personally I'm leaning to malicious behavior as a certain daemon on my box bombed out multiple times as a result.
If this keeps occurring: is the source a single IP or a range?
Running an IDS like Snort or Prelude should catch any exploits.
Running P0f should give you a fix on the remote OS.
Else try blocking with either mod_security or iptables.

Sounds like excellent advice (as usual), thanks unSpawn. Much appreciated

I'll update as soon as I've made any progress.

unSpawn · 02-07-2007, 07:39 AM

NP. Forgot to say: if you determine this is a one-off situation and you won't install or can't run Snort or P0f on the server it should be no problem as long as you can run tcpdump (don't need promisc mode, do use a BPF filter and do watch for filesize) and make it write to file. Then you can read the dump on another station where Snort and P0f are installed.