LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-05-2006, 12:53 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
Exclamation Stll some iptables logs ... !


Code:
Sep  5 17:59:24 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18461 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:25 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18465 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:26 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18470 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:27 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18475 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:28 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18479 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:29 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18483 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:30 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18489 PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  5 17:59:31 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.0.136 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=18493 PROTO=UDP SPT=6348 DPT=6346 LEN=31
The list is much longer than what you see here they all come from the same address and as you see SPT=6348 and DPT=6346 now i go and have a look at /etc/services .... noooo !!! Actully i'm on a winzoz machine ....
What ports are 6346 and 6348 ? Is anything should be worried of ? ????

Links also will do !!!
 
Old 09-05-2006, 02:09 PM   #2
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
my guess would be p2p

searching google for 'port numbers' - first page listed is a good hit
http://www.iana.org/assignments/port-numbers
those porst are unassigned...

if you generally want to block p2p traffic on your lan look into www.ipp2p.org
this is an iptables plugin and is very good.
 
Old 09-05-2006, 07:53 PM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
The ammount of logs this host is leaving on my pc is massive.They are all like the onces above ... i start getting worried !!!!
 
Old 09-06-2006, 07:46 PM   #4
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
I'm still getting these logs from the same host (it's a dynamic ip but the nmap i made gives the same fingerprint):
Code:
Sep  6 17:14:12 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41472 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:13 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41516 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:14 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41569 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:15 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41625 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:16 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41675 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:17 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41728 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
Sep  6 17:14:18 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=83.24.6.59 DST=192.168.0.2 LEN=51 TOS=00 PREC=0x00 TTL=114 ID=41774 CE PROTO=UDP SPT=6348 DPT=6346 LEN=31
I don't use any pear 2 pear progs i have all processes under (ps -aux) or (lsof -n)
i can give output next post ... this host is giving me plenty of logs thanks .. !!

Last edited by gabsik; 09-06-2006 at 07:51 PM.
 
Old 09-06-2006, 09:40 PM   #5
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
I finally found an answer to this scans:
Code:
Port Scans On 6346-6348
If you are receiving port scans on ports 6346, 6347 and 6348, it is more than likely that your system is not being attacked. The Gnutella Network, which currently uses programs such as Limewire and Bearshare, attempts to connect computers together through ports 6346, 6347 or 6348. If using DHCP, your computer's IP address may change every 24 hours, allowing the IP address to be obtained by another computer user. If an Internet user using these programs has saved your IP address and attempts to logon, the programs will attempt to make contact with the IP address. If the IP address has been released and renewed by another user, then it may appear in the firewall log as an attack on your system. For more information about the Gnutella Network please visit Limewire. You may also wish to understand what the Gnutella protocol is and how it works. Please visit Gnutella FAQ's .
It's p2p fault ....
 
Old 09-07-2006, 02:57 AM   #6
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 33
Quote:
Originally Posted by nathanael
my guess would be p2p
Quote:
Originally Posted by gabsik
I don't use any pear 2 pear progs
Quote:
Originally Posted by gabsik
It's p2p fault ....
hmmm... not that it was mentioned :-)

chech specifically your windows clients on the network one of them might be running a process of an p2p app.
check for installed programms and also for leftover processes.
p2p networks can be quite nasty: you can get viruses through them and they can slow down your internet connection - as you can see your router is receiving udp packets all the time...
 
Old 09-08-2006, 09:02 AM   #7
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Nathanael
chech specifically your windows clients on the network one of them might be running a process of an p2p app.
In my LAN i don't have any windows clients,but there are lots of them in my isp network,so i get worms,windows share ,p2p tcp/udp scans ,and they are quite nasty and consume bandwith .... i will get by !!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Localisation and IPTables Logs Centinul Programming 0 04-06-2006 10:48 AM
Why iptables logs is troubling me..so much? apache Linux - Security 3 07-26-2005 06:26 PM
help me understanding iptables logs ddaas Linux - Security 1 02-23-2005 10:08 AM
iptables logs ddaas Linux - Security 1 01-20-2005 09:26 AM
iptables logs and 1 other thing phil1076 Linux - General 5 12-08-2001 08:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration