Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-05-2006, 12:53 PM
|
#1
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
Stll some iptables logs ... !
Code:
Sep 5 17:59:24 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18461 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:25 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18465 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:26 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18470 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:27 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18475 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:28 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18479 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:29 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18483 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:30 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18489 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 5 17:59:31 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18493 PROTO=UDP SPT=6348 DPT=6346 LEN=31
The list is much longer than what you see here they all come from the same address and as you see SPT=6348 and DPT=6346 now i go and have a look at /etc/services .... noooo !!! Actully i'm on a winzoz machine ....
What ports are 6346 and 6348 ? Is anything should be worried of ? ?? ??
Links also will do !!!
|
|
|
09-05-2006, 02:09 PM
|
#2
|
Member
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
|
my guess would be p2p
searching google for 'port numbers' - first page listed is a good hit
http://www.iana.org/assignments/port-numbers
those porst are unassigned...
if you generally want to block p2p traffic on your lan look into www.ipp2p.org
this is an iptables plugin and is very good.
|
|
|
09-05-2006, 07:53 PM
|
#3
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
The ammount of logs this host is leaving on my pc is massive.They are all like the onces above ... i start getting worried !!!!
|
|
|
09-06-2006, 07:46 PM
|
#4
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
I'm still getting these logs from the same host (it's a dynamic ip but the nmap i made gives the same fingerprint):
Code:
Sep 6 17:14:12 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41472 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:13 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41516 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:14 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41569 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:15 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41625 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:16 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41675 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:17 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41728 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep 6 17:14:18 argo NO_PASSARAN: IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00 SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41774 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
I don't use any pear 2 pear progs i have all processes under (ps -aux) or (lsof -n)
i can give output next post ... this host is giving me plenty of logs thanks .. !!
Last edited by gabsik; 09-06-2006 at 07:51 PM.
|
|
|
09-06-2006, 09:40 PM
|
#5
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
I finally found an answer to this scans:
Code:
Port Scans On 6346-6348
If you are receiving port scans on ports 6346, 6347 and 6348, it is more than likely that your system is not being attacked. The Gnutella Network, which currently uses programs such as Limewire and Bearshare, attempts to connect computers together through ports 6346, 6347 or 6348. If using DHCP, your computer's IP address may change every 24 hours, allowing the IP address to be obtained by another computer user. If an Internet user using these programs has saved your IP address and attempts to logon, the programs will attempt to make contact with the IP address. If the IP address has been released and renewed by another user, then it may appear in the firewall log as an attack on your system. For more information about the Gnutella Network please visit Limewire. You may also wish to understand what the Gnutella protocol is and how it works. Please visit Gnutella FAQ's .
It's p2p fault ....
|
|
|
09-07-2006, 02:57 AM
|
#6
|
Member
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
|
Quote:
Originally Posted by nathanael
my guess would be p2p
|
Quote:
Originally Posted by gabsik
I don't use any pear 2 pear progs
|
Quote:
Originally Posted by gabsik
It's p2p fault ....
|
hmmm... not that it was mentioned :-)
chech specifically your windows clients on the network one of them might be running a process of an p2p app.
check for installed programms and also for leftover processes.
p2p networks can be quite nasty: you can get viruses through them and they can slow down your internet connection - as you can see your router is receiving udp packets all the time...
|
|
|
09-08-2006, 09:02 AM
|
#7
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
Quote:
Originally Posted by Nathanael
chech specifically your windows clients on the network one of them might be running a process of an p2p app.
|
In my LAN i don't have any windows clients,but there are lots of them in my isp network,so i get worms,windows share ,p2p tcp/udp scans ,and they are quite nasty and consume bandwith .... i will get by !!!
|
|
|
All times are GMT -5. The time now is 08:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|