Log entry question. What did Microsoft do with my Linux kernel?

Bjorkli · 11-30-2004, 06:46 AM

I have Fedora Core 1 installed, and to make myself better at security I have startet to read the logs. But the following log piece I have no idea what means.

(Taken from log called messages)

Quote:

Nov 29 22:02:39 linux kernel: IN=eth0 OUT= MAC=00:0d:56:57:23:45:00:04:ed:05:0f:19:08:00 SRC=65.54.194.118 DST=192.168.1.103 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=50943 PROTO=TCP SPT=80 DPT=29082 WINDOW=9300 RES=0x00 RST URGP=0
Nov 29 22:02:39 linux kernel: IN=eth0 OUT= MAC=00:0d:56:57:23:45:00:04:ed:05:0f:19:08:00 SRC=65.54.194.118 DST=192.168.1.103 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=52479 PROTO=TCP SPT=80 DPT=29081 WINDOW=9300 RES=0x00 RST URGP=0

Wondering who 65.54.194.118 was, I did a "whois 65.54.194.118", and got the following

Quote:

[root@linux log]# whois 65.54.194.118
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
etc etc

Soo... Now I wonder what this log entry means

I have not seen this one before, and searching this forum for it did not help me. What does Microsoft want with my Linux machine?

b0uncer · 11-30-2004, 09:11 AM

is Redmond really a city? I thought something else...

TigerOC · 11-30-2004, 10:05 AM

It's a request via port 80 from 65.54.194.118 to 192.168.1.103. So you have port 80 open. Are you running an internet server? It may not be anything sinister at all, as many organisations including M$ run crawlers, spiders etc. If port 80 is open then they will investigate to see if they get a response to a http request. If you are running a router it also suggests that it is forwarding port 80 as well. If you don't run a service on port 80 then close it and also stop forwarding on the router.

TruckStuff · 11-30-2004, 10:27 AM

Quote:

Originally posted by TigerOC
It's a request via port 80 from 65.54.194.118 to 192.168.1.103. So you have port 80 open. Are you running an internet server?

Wrong way. The *source* port is 80 meaning that this is a response, not a request.

Bjork, did you recently try to vist any MS sites? The logs you posted are created by violations of your IPTABLES ruleset. The specific violations would seem to indicate that your system requested a web page from a Microsoft server, but your firewall blocked the response packets.

Bjorkli · 11-30-2004, 02:32 PM

Um. Yeah. Running a family web server on the Linux (not used much), but it is not on port 80 though... It is using port 8081 or something. Port 80 on my machine is closed on my Linux server (well. Firestarter says so anyway)

On the same router, I have a XP home computer connected, with Apache web server using port 80 (backup copy in case something happens to my Linux machine). Maybe the router got confused or something and sent the packet to the linux instead of the XP machine. At 02:39... Was sleeping then... Anyway... Must have been a crawler or something. The Linux box still works (as allways), and hopefully it stays like that...

Anyway... wish the logs weren't so cryptic.. My first gues would not have been it was a firewall warning message. Looks like my XP have been infected by something again. The router lights up all the time, and something is downloading to my machine, and I have no idea where to check what is downloading. Hopefully it is just windows update...

But thanks for the replies. Now I know what a firewall message looks like.

TigerOC · 11-30-2004, 03:12 PM

If you have an XP box running on the network there is your answer. XP sends surreptitious reports back to Redmond if you didn't already know that.