Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-02-2007, 08:52 PM
|
#1
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Rep:
|
Possible Attack
I am running Etch and using Firestarter as my firewall. Recently, I
have noticed the firewall has been blocking incoming traffic every so
often. I copied an IP from my firewall log into my browser and it took
me to the National Weather Service Headquarters. I don't have any
weather programs installed. I thought it might be some misdirected
packet or something. I blacklisted the IP in the firewall. A day later,
Firestarter blocked an outgoing signal to the same IP address as the
National Weather Service.
I was bugged out by this and ended up blacklisting all the IPs that
turned up in my firewall log. Some may be legitimate, like the ones
outbound from port 80 and 995. But I'm not sure as my knowledge is
limited. Thunderbird is not connecting to the server anymore and wants
my password. From past experience with Windows I am leery to type in the
password, or unblock some IPs just yet. I realize gnu/linux cannot be
exploited like Windows, but I am not clear on whats happening.
The incoming and outgoing signals to the National Weather Service really
bother me though.
I am posting several firewall log outputs below. Please let me know it
this is normal traffic or not. I have serious doubts about the first
log. 140.90.128.70 is the IP for the National Weather Service.
Thanks
Jason72
1.
Time:Jul 19 19:57:57 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:57:58 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:57:59 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:00 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:00 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:01 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:02 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:03 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:06 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:07 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:08 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:09 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:18 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:19 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:20 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:21 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:42 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:43 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:44 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:58:45 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:30 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:31 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:32 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 19:59:33 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:06 Direction: Inbound In:eth0 Out: Port:46803
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:07 Direction: Inbound In:eth0 Out: Port:46806
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:08 Direction: Inbound In:eth0 Out: Port:46805
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 19 20:01:09 Direction: Inbound In:eth0 Out: Port:46804
Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
2.
Time:Jul 29 02:22:26 Direction: Inbound In:eth0 Out: Port:45790
Source:64.154.81.166 Destination:192.168.1.66 Length:1026 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 02:25:39 Direction: Inbound In:eth0 Out: Port:44176
Source:64.154.81.166 Destination:192.168.1.66 Length:1027 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 02:26:14 Direction: Inbound In:eth0 Out: Port:44189
Source:64.154.81.166 Destination:192.168.1.66 Length:1026 TOS:0x00
Protocol:TCP Service:Unknown
3.
Time:Jul 29 19:13:35 Direction: Inbound In:eth0 Out: Port:53725
Source:140.90.128.70 Destination:192.168.1.66 Length:1492 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 29 22:52:23 Direction: Inbound In:eth0 Out: Port:52030
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown
4.
Time:Jul 31 20:16:37 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 20:17:27 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 20:18:14 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 20:47:40 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 21:02:48 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 21:17:53 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 22:28:18 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 22:48:32 Direction: Outbound In: Out:eth0 Port:80
Source:192.168.1.66 Destination:140.90.128.70 Length:44 TOS:0x00
Protocol:TCP Service:HTTP
Time:Jul 31 23:21:06 Direction: Outbound In: Out:eth0 Port:995
Source:192.168.1.66 Destination:68.142.229.13 Length:44 TOS:0x00
Protocol:TCP Service:Pop3s
Time:Jul 31 23:25:55 Direction: Inbound In:eth0 Out: Port:44499
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown
Time:Jul 31 23:28:19 Direction: Inbound In:eth0 Out: Port:44503
Source:68.142.229.13 Destination:192.168.1.66 Length:866 TOS:0x00
Protocol:TCP Service:Unknown
|
|
|
08-03-2007, 01:55 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Time:Jul 19 19:57:57 Direction: Inbound In:eth0 Out: Port:46803 Source:208.99.69.105 Destination:192.168.1.66 Length:1492 TOS:0x00 Protocol:TCP Service:Unknown
This doesn't say much. The source ports in log #1 are ephemeral ports which basically are "free for all", can be in any range and don't point to anything. The problem is the app you've been running tries to "resolve" the destination port(s) service from /etc/services, doesn't find an entry and shows "Unknown", and that is not helpful. If you got bare iptables log entries they could be more interesting to look at and while 208.99.69.105 could be compromised, if it's linked to the National Weather Service Headquarters then I suspect you have some applet loaded in one of your applications or your DE. (To be complete: chances this is ghosting from a dynamic IP address change would be near zero since these kind of applets are pull, not push.)
|
|
|
08-03-2007, 03:54 PM
|
#3
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Original Poster
Rep:
|
Thanks
Thank you unSpawn. There is no personal data on the computer anyway, so I might try unblocking some blacklisted IPs and see what happens.
Jason72
|
|
|
08-03-2007, 03:56 PM
|
#4
|
Member
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835
Rep:
|
As a test, exit the gui and stop any feasible services. Shutdown other computers on your lan (if applicable). Basically, kill everything other than the network and logging so you can be moderately sure that it isn't something on your computer. If the packets stop, then start things slowly until you figure out what the culprit is. If the packets don't stop, then I might think about consulting with the Weather Service's IT department.
|
|
|
08-04-2007, 08:27 AM
|
#5
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Original Poster
Rep:
|
Thanks
Thank you gd2shoe, that makes sense. Again, my knowledge is limited, I'm not an IT guy, just a home user, so it may take me some time to figure it out. I have other computers I use, so its not any kind of emergency.
I appreciate all the advice.
Thanks
Jason72
|
|
|
08-05-2007, 08:56 AM
|
#6
|
LQ Newbie
Registered: Aug 2007
Posts: 13
Rep:
|
might i suggest that you see if the National Weather Service operate a public time server?
It's possible that your machine is syncing its time against the NWS NTP server...
you can check which servers are being used in your local config file /etc/ntp.conf or similar.
Last edited by leapy; 08-05-2007 at 09:03 AM.
|
|
|
08-05-2007, 08:25 PM
|
#7
|
Member
Registered: Jun 2004
Location: Northern CA
Distribution: Debian
Posts: 835
Rep:
|
Quote:
Originally Posted by leapy
might i suggest that you see if the National Weather Service operate a public time server?
It's possible that your machine is syncing its time against the NWS NTP server...
you can check which servers are being used in your local config file /etc/ntp.conf or similar.
|
While that is generally possible, I can think of two reasons why not. First, it is on an unused port (probably an upper port) which is why it shows up as an unknown service. NTP would be known (in /etc/services). Besides, I think NTP is usually UDP, as apposed to TCP (could be wrong on that one).
Furthermore, Debian by default syncs with Debian ntp servers. It is highly doubtful that any of those are controlled by the NWS. If I had my Debian box handy I'd confirm that.
FYI, the startup/terminate scripts for services are found in /etc/init.d. Specifying any of those followed by 'stop' will stop the service if it's running. Example:
Code:
/etc/init.d/ntp stop
|
|
|
08-06-2007, 06:55 PM
|
#8
|
LQ Newbie
Registered: Aug 2007
Posts: 11
Original Poster
Rep:
|
gd2shoe, for some unknown reason, the firewall after running for many months without issue seems to have become hypersensitive, I go to certain sites, and it logs that site as a hit, although its a legitimate site. Sites like Carmax.com. And for some reason, it was logging my email everytime it tried to connect to the server to check for messages. I've unblocked several that were legitimate, and those that were questionable, I blocked at the source. I don't seem to be having anymore problems. Later on I am going to poke around with the terminate scripts, and unblock the Weather Service IP and see what happens.
Thanks for the useful info, its much appreciated.
Jason72
|
|
|
All times are GMT -5. The time now is 05:45 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|