LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-02-2007, 08:52 PM   #1
Jason72
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 0
Possible Attack


I am running Etch and using Firestarter as my firewall. Recently, I
have noticed the firewall has been blocking incoming traffic every so
often. I copied an IP from my firewall log into my browser and it took
me to the National Weather Service Headquarters. I don't have any
weather programs installed. I thought it might be some misdirected
packet or something. I blacklisted the IP in the firewall. A day later,
Firestarter blocked an outgoing signal to the same IP address as the
National Weather Service.

I was bugged out by this and ended up blacklisting all the IPs that
turned up in my firewall log. Some may be legitimate, like the ones
outbound from port 80 and 995. But I'm not sure as my knowledge is
limited. Thunderbird is not connecting to the server anymore and wants
my password. From past experience with Windows I am leery to type in the
password, or unblock some IPs just yet. I realize gnu/linux cannot be
exploited like Windows, but I am not clear on whats happening.


The incoming and outgoing signals to the National Weather Service really
bother me though.
I am posting several firewall log outputs below. Please let me know it
this is normal traffic or not. I have serious doubts about the first
log. 140.90.128.70 is the IP for the National Weather Service.

Thanks
Jason72

1.
Time:Jul 19 19:57:57 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:57:58 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:57:59 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:00 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:00 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:01 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:02 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:03 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:06 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:07 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:08 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:09 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:18 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:19 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:20 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:21 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:42 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:43 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:44 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:45 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:30 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:31 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:32 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:33 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:06 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:07 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:08 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:09 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown


2.
Time:Jul 29 02:22:26 Direction: Inbound In:eth0 Out: Port:45790
Source:64.154.81.166 Destination:192.168.1.66 Length:1026 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 02:25:39 Direction: Inbound In:eth0 Out: Port:44176
Source:64.154.81.166 Destination:192.168.1.66 Length:1027 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 02:26:14 Direction: Inbound In:eth0 Out: Port:44189
Source:64.154.81.166 Destination:192.168.1.66 Length:1026 TOS:0x00
Protocol:TCP Service:Unknown

3.
Time:Jul 29 19:13:35 Direction: Inbound In:eth0 Out: Port:53725
Source:140.90.128.70 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 22:52:23 Direction: Inbound In:eth0 Out: Port:52030
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown

4.
Time:Jul 31 20:16:37 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 20:17:27 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 20:18:14 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 20:47:40 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 21:02:48 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 21:17:53 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 22:28:18 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 22:48:32 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 23:21:06 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 23:25:55 Direction: Inbound In:eth0 Out: Port:44499
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 31 23:28:19 Direction: Inbound In:eth0 Out: Port:44503
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown
 
Old 08-03-2007, 01:55 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Time:Jul 19 19:57:57 Direction: Inbound In:eth0 Out: Port:46803 Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00 Protocol:TCP Service:Unknown
This doesn't say much. The source ports in log #1 are ephemeral ports which basically are "free for all", can be in any range and don't point to anything. The problem is the app you've been running tries to "resolve" the destination port(s) service from /etc/services, doesn't find an entry and shows "Unknown", and that is not helpful. If you got bare iptables log entries they could be more interesting to look at and while 208.99.69.105 could be compromised, if it's linked to the National Weather Service Headquarters then I suspect you have some applet loaded in one of your applications or your DE. (To be complete: chances this is ghosting from a dynamic IP address change would be near zero since these kind of applets are pull, not push.)
 
Old 08-03-2007, 03:54 PM   #3
Jason72
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks

Thank you unSpawn. There is no personal data on the computer anyway, so I might try unblocking some blacklisted IPs and see what happens.
Jason72
 
Old 08-03-2007, 03:56 PM   #4
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
As a test, exit the gui and stop any feasible services. Shutdown other computers on your lan (if applicable). Basically, kill everything other than the network and logging so you can be moderately sure that it isn't something on your computer. If the packets stop, then start things slowly until you figure out what the culprit is. If the packets don't stop, then I might think about consulting with the Weather Service's IT department.
 
Old 08-04-2007, 08:27 AM   #5
Jason72
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks

Thank you gd2shoe, that makes sense. Again, my knowledge is limited, I'm not an IT guy, just a home user, so it may take me some time to figure it out. I have other computers I use, so its not any kind of emergency.

I appreciate all the advice.

Thanks
Jason72
 
Old 08-05-2007, 08:56 AM   #6
leapy
LQ Newbie
 
Registered: Aug 2007
Posts: 13

Rep: Reputation: 0
might i suggest that you see if the National Weather Service operate a public time server?

It's possible that your machine is syncing its time against the NWS NTP server...

you can check which servers are being used in your local config file /etc/ntp.conf or similar.

Last edited by leapy; 08-05-2007 at 09:03 AM.
 
Old 08-05-2007, 08:25 PM   #7
gd2shoe
Member
 
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835

Rep: Reputation: 49
Quote:
Originally Posted by leapy
might i suggest that you see if the National Weather Service operate a public time server?

It's possible that your machine is syncing its time against the NWS NTP server...

you can check which servers are being used in your local config file /etc/ntp.conf or similar.
While that is generally possible, I can think of two reasons why not. First, it is on an unused port (probably an upper port) which is why it shows up as an unknown service. NTP would be known (in /etc/services). Besides, I think NTP is usually UDP, as apposed to TCP (could be wrong on that one).

Furthermore, Debian by default syncs with Debian ntp servers. It is highly doubtful that any of those are controlled by the NWS. If I had my Debian box handy I'd confirm that.

FYI, the startup/terminate scripts for services are found in /etc/init.d. Specifying any of those followed by 'stop' will stop the service if it's running. Example:
Code:
/etc/init.d/ntp stop
 
Old 08-06-2007, 06:55 PM   #8
Jason72
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
gd2shoe, for some unknown reason, the firewall after running for many months without issue seems to have become hypersensitive, I go to certain sites, and it logs that site as a hit, although its a legitimate site. Sites like Carmax.com. And for some reason, it was logging my email everytime it tried to connect to the server to check for messages. I've unblocked several that were legitimate, and those that were questionable, I blocked at the source. I don't seem to be having anymore problems. Later on I am going to poke around with the terminate scripts, and unblock the Weather Service IP and see what happens.

Thanks for the useful info, its much appreciated.
Jason72
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Does anyone see attack like this? fedora4002 Linux - Security 1 01-30-2007 05:04 PM
What attack could this be??? darrel Linux - Security 10 02-26-2005 10:10 PM
What to do during an attack? revenant Linux - Security 9 04-02-2004 12:18 AM
Help I am UNDER ATTACK... needamiracle Linux - Security 28 04-22-2003 12:06 PM
Any attack? vcheah Linux - Security 1 12-07-2001 01:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration