LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Abnormal traffic? (https://www.linuxquestions.org/questions/linux-security-4/abnormal-traffic-321142/)

xathras 05-07-2005 08:37 PM

Abnormal traffic?
 
Can anyone explain this traffic for me?

this is an abstract from /var/log/messages

May 8 01:23:24 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=68.47.72.139 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=106 ID=54014 DF PROTO=TCP SPT=1873 DPT=7648 WINDOW=16384 RES=0x00 SYN URGP=0
May 8 01:23:27 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=68.47.72.139 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=106 ID=54076 DF PROTO=TCP SPT=1873 DPT=7648 WINDOW=16384 RES=0x00 SYN URGP=0
May 8 01:23:33 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=68.47.72.139 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=106 ID=54276 DF PROTO=TCP SPT=1873 DPT=7648 WINDOW=16384 RES=0x00 SYN URGP=0
May 8 01:25:17 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.9.10.223 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=49235 DF PROTO=TCP SPT=3714 DPT=16872 WINDOW=64800 RES=0x00 SYN URGP=0
May 8 01:25:20 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.9.10.223 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=49277 DF PROTO=TCP SPT=3714 DPT=16872 WINDOW=64800 RES=0x00 SYN URGP=0
May 8 01:25:26 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.9.10.223 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=49386 DF PROTO=TCP SPT=3714 DPT=16872 WINDOW=64800 RES=0x00 SYN URGP=0
May 8 01:26:03 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=69.39.81.71 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=16437 DF PROTO=TCP SPT=3984 DPT=7648 WINDOW=8760 RES=0x00 SYN URGP=0
May 8 01:26:06 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=69.39.81.71 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=16655 DF PROTO=TCP SPT=3984 DPT=7648 WINDOW=8760 RES=0x00 SYN URGP=0
May 8 01:26:12 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=69.39.81.71 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=107 ID=17228 DF PROTO=TCP SPT=3984 DPT=7648 WINDOW=8760 RES=0x00 SYN URGP=0
May 8 01:26:23 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.3.18.149 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=109 ID=37881 PROTO=TCP SPT=2085 DPT=7648 WINDOW=65535 RES=0x00 SYN URGP=0
May 8 01:26:26 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.3.18.149 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=109 ID=38072 PROTO=TCP SPT=2085 DPT=7648 WINDOW=65535 RES=0x00 SYN URGP=0
May 8 01:26:32 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=201.3.18.149 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=109 ID=38406 PROTO=TCP SPT=2085 DPT=7648 WINDOW=65535 RES=0x00 SYN URGP=0
May 8 01:26:50 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=81.99.157.75 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=119 ID=46114 DF PROTO=TCP SPT=4485 DPT=16872 WINDOW=64240 RES=0x00 SYN URGP=0
May 8 01:26:53 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=81.99.157.75 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=119 ID=46264 DF PROTO=TCP SPT=4485 DPT=16872 WINDOW=64240 RES=0x00 SYN URGP=0
May 8 01:28:13 myserver kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:04:e2:08:6e:c1:00:0c:41:b2:30:3e:08:00 SRC=66.91.60.64 DST=192.168.1.100 LEN=48 TOS=0x04 PREC=0x00 TTL=113 ID=44274 DF PROTO=TCP SPT=1284 DPT=7648 WINDOW=16384 RES=0x00 SYN URGP=0

win32sux 05-07-2005 09:53 PM

well, TCP port 7648 is used by CU-SeeMe from what i can gather (google)...

so it looks like your firewall has blocked CU-SeeMe connections from being initiated...

xathras 05-07-2005 10:55 PM

Quote:

Originally posted by win32sux
well, TCP port 7648 is used by CU-SeeMe from what i can gather (google)...

so it looks like your firewall has blocked CU-SeeMe connections from being initiated...

i'm sorry i am unaware of what CU-SeeMe is

I have just done a default install of centOS 3.4 and updated system, installed apache, mysql, apf, bfd, configured ssh for protocol 2 only and blocking root logins via ssh and thats about it.

Traffic was unexpected.

Mara 05-08-2005 03:24 PM

It's videoconferencing software. If it was unexpected then well... good that it was blocked. You just need to remember that you may need to unblock it in the future (if you decide to use it).

xathras 05-08-2005 05:13 PM

thanks for the help.

Glad I had my firewall configured, that was the only abnormal traffic I was getting, I had checked all my logs etc and there was no missing information or log-in attempts etc.


All times are GMT -5. The time now is 06:50 PM.