LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-07-2005, 08:45 AM   #1
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Rep: Reputation: 15
What is happening here?


My logs are showing this at lot:

Oct 7 08:02:29 ares kernel: ABORTED IN=eth1 OUT= MAC=00:c0:f0:3e:14:29:00:06:25:f4:48:49:08:00 SRC=172.179.48.246 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=65259 PROTO=TCP SPT=15282 DPT=6881 SEQ=2395347946 ACK=2779374892 WINDOW=64363 RES=0x00 RST URGP=0


Problem is I don't fully know how to read this. I can see that someone from AOL is trying to attach to my box. What I don't know is what most of the item here mean.

What is LEN, TOS, PREC, TTL, ID, SPT, DPT, SEQ, ACK, WINDOW, RES RST, URGP?

I can't seem to find any docs that I can understand that explain this.
 
Old 10-07-2005, 09:05 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

They're just TCP header bits. Have a look here:
http://www.networksorcery.com/enp/protocol/tcp.htm

Dave
 
Old 10-07-2005, 09:54 AM   #3
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Original Poster
Rep: Reputation: 15
Forgive me, as I apreciate your help but that link doesn't tell me much. I can see how the packet is structured but comparing that to the output I just posted I can't see everything that is occuring. For example what port is this packet trying to access?
 
Old 10-07-2005, 10:50 AM   #4
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 374

Rep: Reputation: 55
Re: What is happening here?

Quote:
Originally posted by nlinecomputers
My logs are showing this at lot:

Oct 7 08:02:29 ares kernel: ABORTED IN=eth1 OUT= MAC=00:c0:f0:3e:14:29:00:06:25:f4:48:49:08:00 SRC=172.179.48.246 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=65259 PROTO=TCP SPT=15282 DPT=6881 SEQ=2395347946 ACK=2779374892 WINDOW=64363 RES=0x00 RST URGP=0


Problem is I don't fully know how to read this. I can see that someone from AOL is trying to attach to my box. What I don't know is what most of the item here mean.

What is LEN, TOS, PREC, TTL, ID, SPT, DPT, SEQ, ACK, WINDOW, RES RST, URGP?

I can't seem to find any docs that I can understand that explain this.
The link provided by ilikejam explains the different tcp options.
If you don't understand what it says and you just want to "read" what the log says as you mention, then you don't need LEN,TOS,etc

I will try to explain as briefly as i can what it says.
Oct 7 08:02:29 ares kernel: ABORTED IN=eth1 OUT= MAC=00:c0:f0:3e:14:29:00:06:25:f4:48:49:08:00 SRC=172.179.48.246 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=65259 PROTO=TCP SPT=15282 DPT=6881 SEQ=2395347946 ACK=2779374892 WINDOW=64363 RES=0x00 RST URGP=0

The packet came in the eth1 interface (incoming traffic).
It came from 172.179.48.246 (something.aol.com) and had destination 192.168.0.3 (you i guess)
The packet protocol was TCP and the source port at the aol machine was 15282 (not important)
The port at your machine it tried to access was 6881

This is the default port of Bittorent clients. It can be anything but if you use a Bittorent client (Azureus,Ktorrent,ctorrent,whatever)
then i guess it has a good possibility that's it.

The flags are RST (reset). Google has a great deal of information about SYN/ACK/RST so i don't mention anything here.

I hope i helped and didn't confuse you.
 
Old 10-07-2005, 11:33 AM   #5
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Original Poster
Rep: Reputation: 15
Not confusing at all. I was running Azureus last night and I thought the 6881 might refer to that as bittorrent uses that port.

This is listed as ABORTED. By who? Them or me?
 
Old 10-08-2005, 11:57 AM   #6
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I find it a bit weird that you got this as 192.168.0.3 is usualy a LAN reserved IP. Is this log from a NAT box or a router or something like that?

These aborted messages must come from your iptables rules. There must be a rule that is throwing it into your logs.
 
Old 10-08-2005, 01:28 PM   #7
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Original Poster
Rep: Reputation: 15
It's behind a router on a private net.

Quote:
These aborted messages must come from your iptables rules. There must be a rule that is throwing it into your logs.
Ok well what is the difference between an abort and a drop? Bittorrent works on this unit. I downloaded Suse 10.0 last night using it. Is this somekind of timeout?
 
Old 10-08-2005, 02:01 PM   #8
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
the remote cliente send a RST so he close the connection.

The thing with the ABORT is there because you must have something like -j LOG --log-prefix "ABORT:" in you iptables rules
 
Old 10-08-2005, 02:27 PM   #9
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Original Poster
Rep: Reputation: 15
Ok so that is worthless info filling my logs. Now I know that is probably safe to add that to logsentry to filter out that.

Thanks.

 
Old 10-09-2005, 08:20 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
"Aborted" tcp connections are usually associated with "half-open" port scans that can be an important indicator that someone is trying to stealthily perform information gathering for a future attack. So that is why they are logged by certain firewalls. The downside is that you do see alot of false positives, commonly due to a webserver terminating the tcp connection so that it doesn't have to maintain a large number of active connections. It's also possible that what you're seeing here has to do with AOLs weird IP address rotation scheme, where an AOL client can actually get reassigned a new IP in the middle of an established connection.
 
Old 10-10-2005, 01:50 PM   #11
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
You can assume that it is a scan-attempt unless you were attempting to do something with bittorrent at these times. Someone in AOL may be sniffing to find servers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS to IP not happening bharath144 Linux - Software 6 11-28-2005 08:09 AM
what is happening in the screen? suguname Mandriva 3 01-19-2005 05:53 PM
smbserver to XP not happening TheDanLayerOSI Linux - Networking 2 09-21-2004 01:20 PM
What's Happening? demonfi General 4 08-16-2003 01:40 PM
just a happening aizkorri General 9 11-20-2002 11:08 AM


All times are GMT -5. The time now is 07:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration