I have found for the first time this logs from my gateway firewall:
Code:
Sep 4 03:55:46 argo BROADCASTS: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0d:93:3e:b0:32:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=4401 PROTO=UDP SPT=68 DPT=67 LEN=308
Sep 4 03:55:54 argo BROADCASTS: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0d:93:3e:b0:32:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=255 ID=4402 PROTO=UDP SPT=68 DPT=67 LEN=308
They are coming from my lan interface eth1 and launching a :
Code:
root@argo:~# netstat -anptlu | grep 68
udp 0 0 0.0.0.0:68 0.0.0.0:* 18351/portsentry
I found out they are coming from portsentry.
Now!
I have port 68 portsentry 'honeypot' from long time and it is the first time it goes broadcasting what 's happening ?Did it got compromise ?
Thanks for the help !