Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-20-2001, 09:21 AM
|
#1
|
LQ Newbie
Registered: Nov 2001
Posts: 1
Rep:
|
Help...!!! Firewall Log Question
We are in a mixed network, which includes a router Cisco, a 3COM swich common to the two networks and a hub where gateway/fire wall linux computer is connected.
One of the network is my company network (192.168.X.X / 255.255.0.0. I am in charge of it) and the other network belongs to other company (10.10.X.X / 255.255.0.0). This company has a VPN. Now, they are accusing me as hacker, alleging we have tried to go into their VPN. As prove of tha t , they are showing the following type of message:
Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)
Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.185:138
192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6
213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)
Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.138:137
192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)
Oct 21 04:10:16 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.20:138
192.168.2.255:138 L=238 S=0x00 I=56451 F=0x000 T=32 (#71)
Oct 21 04:10:20 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.5:138
192.168.2.255:138 L=234 S=0x00 I=39272 F=0x000 T=128 (#71)
Oct 21 04:11:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.5:137
192.168.2.255:138 L=78 S=0x00 I=39528 F=0x000 T=128 (#71)
Oct 21 04:12:00 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.100:138
192.168.255.255:138 L=241 S=0x00 I=31461 F=0x000 T=128 (#71)
Oct 21 04:14:04 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.172:137
192.168.255.255:137 L=78 S=0x00 I=50473 F=0x000 T=32 (#71)
They have as many as 40 pages of this type of messages , presenting this "deny" access as the evidence we have tried to penetrate their network.
Since we are not int er ested is go into that VPN, nor we have tried to do it, please help me in find a technnical explanation for the "evidences" the have shown.
Thanks.
|
|
|
11-20-2001, 11:44 PM
|
#4
|
Senior Member
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731
Rep:
|
Looks like someone (a Windows machine) in your network got a nice little trojan action - port 27374 is a common port for the SubSeven trojan and its variants. The others look like port scans for NetBIOS shares, which could be the byproduct or payload of the infection.
You could set up a tcpdump session to see which machine is broadcasting the packets or have a look at 'snort' for some more thorough analysis tools.
|
|
|
11-21-2001, 10:59 AM
|
#5
|
Member
Registered: Apr 2001
Location: London
Posts: 408
Rep:
|
Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 SYN (#70)
(pc4-staf2-0-cust72.bir.cable.ntl.com >> tried to access the firewall's IP address on port 27374 looking for SubSeven trojan using TCP protocol, TOS is not priority setting, ACK id number is included, First request with SYN flag)
Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.185:138
192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
(192.168.2.185 >> send a UDP request to the whole subnet looking for nbdgm services on Win systems)
Oct 21 04:10:08 localhost kernel: Packet log: input DENY eth0 PROTO=17 192.168.2.138:137
192.168.255.255:137 L=78 S=0x00 I=49285 F=0x000 T=32 (#71)
(192.168.2.138 >> send a UDP request to nbns UDP service for whole subnet)
Ok some useful info to tell them.
1) someone outside looked for a Trojan on there firewall.
2) something inside your subnet requested the whole subnet to respond to netbios requests for shared drives etc etc. This is not an attack on there system in particular as it's a broadcast request to everyone.
Tell the company that if they didn't use DENY but REJECT for the UDP packets then they wouldn't have so many entries in there log file as the system keep requesting a response becuase it thinks the system is none responsive due to timeouts.
Also tell them to filter out broadcast requests and not log them as everything in windows does this for finding domain's printers etc etc etc.... (98 is even worse at this)
This is defiantly not a hack attack and if any admin think it is, then they should be shot.
/Raz
Last edited by raz; 11-21-2001 at 11:14 AM.
|
|
|
All times are GMT -5. The time now is 02:23 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|