LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-10-2012, 05:46 PM   #1
lpallard
Member
 
Registered: Nov 2008
Location: Milky Way
Distribution: Slackware (various releases)
Posts: 970

Rep: Reputation: 44
Question Possible hacker attack?


Hi all!

I was looking for some kernel error messages in my Slackware server and I was surprised to see these messages in dmesg:

Code:
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 716235042:716237814 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722205812:722207129 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722205812:722207129 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722205812:722207129 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722205812:722207129 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722205812:722207129 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722245016:722246583 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722950428:722951760 (repaired)
TCP: Peer 189.141.13.73:40859/48049 unexpectedly shrunk window 722989632:722990640 (repaired)
This IP is NOT from any clients I am using (all my internal clients use 192.168..., and my network is supposedly isolated from the wan side...

First of all, what does it mean, and second, have I bee attacked by a Mexican hacker? According to http://iplocation.truevue.org/189.141.13.73.html, the IP would be located somewhere in Mexico..

In my pfsense router (using Snort, Squidguard & firewall active), I see these lines in the firewall logs:

Code:
Nov 10 18:45:52 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:45:49 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:41:28 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:41:24 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:40:04 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:40:01 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:38:52 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:38:49 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:22:15 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:22:12 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:17:50 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:17:47 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:16:30 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:16:26 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:11:15 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:11:13 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:07:01 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Nov 10 18:06:55 	pf: 189.141.13.73.61905 > 24.212.252.21.6970: UDP, length 30
Id like to have some insight...

Thanks!!!

Last edited by lpallard; 11-10-2012 at 05:52 PM.
 
Old 11-10-2012, 06:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,947
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by lpallard View Post
what does it mean
http://www.linuxquestions.org/questi...2/#post3645782
 
Old 11-10-2012, 06:47 PM   #3
lpallard
Member
 
Registered: Nov 2008
Location: Milky Way
Distribution: Slackware (various releases)
Posts: 970

Original Poster
Rep: Reputation: 44
So I take that I shouldnt worry about that?

Nobody drinking tequila tried to hack my computers?

Its just that it is the first time I see this in dmesg and I've been running this server for 3 years now...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hacker attack cmontr Linux - Security 20 09-25-2010 08:22 PM
Apparent hacker Attack lenlutz Linux - Security 2 10-14-2005 08:10 AM
Hacker attack carrion Linux - Security 11 08-23-2004 02:03 PM
hacker attack? firestomper41 Mandriva 8 05-09-2004 04:35 PM
hacker attack? zetsui Linux - General 4 08-04-2003 06:03 AM


All times are GMT -5. The time now is 07:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration