LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-18-2007, 06:01 PM   #1
Drfarfrompuken
LQ Newbie
 
Registered: Aug 2005
Posts: 10

Rep: Reputation: 0
Has my system been compromised?


Hey

I was wondering if anybody here could offer me any advice.

At home I have a Clark Connect Linux file-server running Slimserver, managed though ssh. This is connected to the internet through an ageing SMC Barricade 7004ABR router. While recently changing some settings on my router the following entries in the log caught my eye.

2007/05/07 06:05:07 ** IP Spoofing ** <IP/UDP> 192.168.2.2:48527 ->> **.**.***.***:6346
2007/05/07 06:07:07 ** IP Spoofing ** <IP/UDP> 192.168.2.2:48527 ->> **.**.***.***:6346
2007/05/07 06:09:07 ** IP Spoofing ** <IP/UDP> 192.168.2.2:48527 ->> **.**.***.***:6346
2007/05/07 06:11:07 ** IP Spoofing ** <IP/UDP> 192.168.2.2:48527 ->> **.**.***.***:6346
2007/05/07 06:13:07 ** IP Spoofing ** <IP/UDP> 192.168.2.2:48527 ->> **.**.***.***:6346

The internal is my server IP and the **.**.***.*** is my actual external IP, I don't wish to display it in case this is something to be worried about.

So my next question is this, is it something to be worried about?

Although I have configured the box I am not very up on hardening a Linux Box to limit it to just the access I need.

If it is something to be concerned about I would be grateful for any help on how to deal with it, or at least discover what is causing it.

Thank you for any help

Mike
 
Old 05-18-2007, 06:08 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

I think it's just NAT, and therefore nothing to worry about.

What do you get from 'netstat -pantu | grep 48527' as root (assuming 48527 is still the port number on the locahost, as it is above)?

Dave

Last edited by ilikejam; 05-18-2007 at 06:09 PM.
 
Old 05-18-2007, 06:53 PM   #3
Drfarfrompuken
LQ Newbie
 
Registered: Aug 2005
Posts: 10

Original Poster
Rep: Reputation: 0
Dave

Thank you for the quick reply, nothing appears when I type 'netstat -pantu | grep 48527' no reason for port number to have changed because I haven't touched anything.

If it is just NAT that's a relief, but as it is the first time I have noticed it I just thought I would check.

So you don't think there is anything to worry about?
 
Old 05-18-2007, 06:58 PM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

The port number may well have changed (high port numbers like that are generally random, used for outgoing connections).
If you're worried about it, then go back into the router and find the port number, then run the command above with that number.

I still think it's just NAT, though.

Dave
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has my system been compromised? foodhater Linux - Security 1 06-01-2006 07:51 PM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 10:09 AM
System compromised BruceCadieux Linux - Security 20 09-29-2003 09:24 PM
System compromised? Comatose51 Linux - Security 3 07-11-2003 09:28 AM
Help: I think my system has been compromised! Comatose51 Linux - General 2 06-29-2003 06:00 PM


All times are GMT -5. The time now is 08:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration