Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-08-2006, 05:55 PM
|
#1
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
Look this log
Quote:
Jun 8 23:04:35 netgear TCP Packet - Source:87.10.109.15,2333 Destination:1.0.0.0,445 - [Any(ALL) match]
|
This is a log from my router.What is that ip 1.0.0.0 ???
Last edited by gabsik; 06-08-2006 at 06:05 PM.
|
|
|
06-08-2006, 06:03 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
What is that ip 1.0.0.0
Seems a valid bogon to me.
|
|
|
06-08-2006, 07:06 PM
|
#3
|
Member
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831
|
Quote:
Originally Posted by gabsik
This is a log from my router.What is that ip 1.0.0.0 ???
|
Virus infected computers often have outbound traffic to a bogon addresses becouse viruses quite often randomly choose addresses to scan for vulnerabilies, you could have an infected computer, even dst port is 445 (sasser, agobot)
|
|
|
06-09-2006, 05:35 AM
|
#4
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
87.10.109.15 is my isp's network address:
Quote:
root@argo:~# nmap -sS -sR -sV -O -P0 87.10.109.15
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-09 11:18 CEST
Interesting ports on host15-109.pool8710.interbusiness.it (87.10.109.15):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows msrpc
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows msrpc
1720/tcp filtered H.323/Q.931
5000/tcp open UPnP
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5000-TCP:V=3.81%D=6/9%Time=44893FD5%P=i686-pc-linux-gnu%r(RTSPReque
SF:st,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n");
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Nmap finished: 1 IP address (1 host up) scanned in 856.729 seconds
|
Polluted windows machines,i hate them !!!
|
|
|
06-28-2006, 08:50 PM
|
#5
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Quote:
SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=264 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 29 01:43:41 argo INTERNET_BROADCAST: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b0:62:27:56:08:00
|
This looks quite the same of the above 1.0.0.0 does anyone can link me where this is explained ????
|
|
|
06-28-2006, 08:51 PM
|
#6
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Quote:
Jun 29 01:15:02 argo ippl: port 1027 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1027)
Jun 29 01:15:02 argo ippl: port 1026 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1026)
Jun 29 01:15:02 argo ippl: port 1028 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1028)
Jun 29 01:15:02 argo ippl: port 1029 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1029)
|
These also look quite strange ips to me ...
Last edited by gabsik; 06-28-2006 at 11:20 PM.
|
|
|
All times are GMT -5. The time now is 09:39 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|