LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-20-2001, 09:21 AM   #1
eduardo_26
LQ Newbie
 
Registered: Nov 2001
Posts: 1

Rep: Reputation: 0
Unhappy Help...!!! Firewall Log Question


We are in a mixed network, which includes a router Cisco, a 3COM swich common to the two networks and a hub where gateway/fire wall linux computer is connected.

One of the network is my company network (192.168.X.X / 255.255.0.0. I am in charge of it) and the other network belongs to other company (10.10.X.X / 255.255.0.0). This company has a VPN. Now, they are accusing me as hacker, alleging we have tried to go into their VPN. As prove of tha t , they are showing the following type of message:

Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6

213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)

Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.185:138

192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)

Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6

213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)

Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.138:137

192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)

Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.20:138

192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71)

Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.5:138

192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71)

Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.5:137

192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71)

Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.100:138

192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71)

Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.172:137

192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71)

They have as many as 40 pages of this type of messages , presenting this "deny" access as the evidence we have tried to penetrate their network.

Since we are not int er ested is go into that VPN, nor we have tried to do it, please help me in find a technnical explanation for the "evidences" the have shown.

Thanks.
 
Old 11-20-2001, 10:56 PM   #2
rewt
Member
 
Registered: May 2001
Posts: 44

Rep: Reputation: 15
I dont know if any of this will help or not...

but I have used this in the past to read my firewall logs....

http://www.robertgraham.com/pubs/firewall-seen.html


hope this helps,
rewt
 
Old 11-20-2001, 10:58 PM   #3
rewt
Member
 
Registered: May 2001
Posts: 44

Rep: Reputation: 15
sorry for a double reply but this might help you as well....

http://logi.cc/linux/NetfilterLogAnalyzer.php3


rewt
 
Old 11-20-2001, 11:44 PM   #4
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
Looks like someone (a Windows machine) in your network got a nice little trojan action - port 27374 is a common port for the SubSeven trojan and its variants. The others look like port scans for NetBIOS shares, which could be the byproduct or payload of the infection.

You could set up a tcpdump session to see which machine is broadcasting the packets or have a look at 'snort' for some more thorough analysis tools.
 
Old 11-21-2001, 10:59 AM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)

(pc4-staf2-0-cust72.bir.cable.ntl.com >> tried to access the firewall's IP address on port 27374 looking for SubSeven trojan using TCP protocol, TOS is not priority setting, ACK id number is included, First request with SYN flag)

Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.185:138
192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)

(192.168.2.185 >> send a UDP request to the whole subnet looking for nbdgm services on Win systems)

Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.138:137
192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)

(192.168.2.138 >> send a UDP request to nbns UDP service for whole subnet)

Ok some useful info to tell them.
1) someone outside looked for a Trojan on there firewall.
2) something inside your subnet requested the whole subnet to respond to netbios requests for shared drives etc etc. This is not an attack on there system in particular as it's a broadcast request to everyone.

Tell the company that if they didn't use DENY but REJECT for the UDP packets then they wouldn't have so many entries in there log file as the system keep requesting a response becuase it thinks the system is none responsive due to timeouts.
Also tell them to filter out broadcast requests and not log them as everything in windows does this for finding domain's printers etc etc etc.... (98 is even worse at this)

This is defiantly not a hack attack and if any admin think it is, then they should be shot.

/Raz

Last edited by raz; 11-21-2001 at 11:14 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question 1 Firewall Log Question 2 Network Monitor Soulful93 Linux - Networking 4 08-05-2004 12:05 AM
firewall log rickh Fedora 1 06-23-2004 06:35 PM
firewall log question Tyir Linux - Security 3 02-15-2004 08:17 PM
firewall log parser tarballedtux Linux - Software 0 08-04-2003 10:04 PM
Firewall Log Half_Elf Linux - Security 10 09-24-2002 03:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration