LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-08-2006, 05:55 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
Look this log


Quote:
Jun 8 23:04:35 netgear TCP Packet - Source:87.10.109.15,2333 Destination:1.0.0.0,445 - [Any(ALL) match]
This is a log from my router.What is that ip 1.0.0.0 ???

Last edited by gabsik; 06-08-2006 at 06:05 PM.
 
Old 06-08-2006, 06:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608
What is that ip 1.0.0.0
Seems a valid bogon to me.
 
Old 06-08-2006, 07:06 PM   #3
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Quote:
Originally Posted by gabsik
This is a log from my router.What is that ip 1.0.0.0 ???
Virus infected computers often have outbound traffic to a bogon addresses becouse viruses quite often randomly choose addresses to scan for vulnerabilies, you could have an infected computer, even dst port is 445 (sasser, agobot)
 
Old 06-09-2006, 05:35 AM   #4
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
87.10.109.15 is my isp's network address:
Quote:
root@argo:~# nmap -sS -sR -sV -O -P0 87.10.109.15

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-09 11:18 CEST
Interesting ports on host15-109.pool8710.interbusiness.it (87.10.109.15):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows msrpc
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows msrpc
1720/tcp filtered H.323/Q.931
5000/tcp open UPnP
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5000-TCP:V=3.81%D=6/9%Time=44893FD5%P=i686-pc-linux-gnu%r(RTSPReque
SF:st,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n");
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release

Nmap finished: 1 IP address (1 host up) scanned in 856.729 seconds
Polluted windows machines,i hate them !!!
 
Old 06-28-2006, 08:50 PM   #5
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Quote:
SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=00 PREC=0x00 TTL=128 ID=264 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 29 01:43:41 argo INTERNET_BROADCAST: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b0:62:27:56:08:00
This looks quite the same of the above 1.0.0.0 does anyone can link me where this is explained ????
 
Old 06-28-2006, 08:51 PM   #6
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Quote:
Jun 29 01:15:02 argo ippl: port 1027 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1027)
Jun 29 01:15:02 argo ippl: port 1026 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1026)
Jun 29 01:15:02 argo ippl: port 1028 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1028)
Jun 29 01:15:02 argo ippl: port 1029 UDP datagram from [6.145.3.196] (6.145.3.196:45604->192.168.0.2:1029)
These also look quite strange ips to me ...

Last edited by gabsik; 06-28-2006 at 11:20 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to change Debian log rotation of syslog and daemon.log onmountain Linux - Newbie 2 07-31-2008 03:27 AM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 05:03 PM
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 02:21 PM
pppd logging to /var/log/ppp.log problem mrtwice Linux - Software 1 01-10-2004 06:38 PM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 09:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration