Weird Logs: Am I being hacked?
The following lines are appearing over and over again in my /var/log/messages:
Sep 29 12:33:59 syr-24-59-77-252 kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:01:03:2e:db:63:00:01:42:1d:dd:8c:08:00 SRC=24.59.130.38 DST=24.59.77.252 LEN=92 TOS=0x00 PREC=0x00 TTL=121 ID=26724 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43905 Sep 29 12:33:59 syr-24-59-77-252 snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 24.59.130.38 -> 24.59.77.252 Sep 29 12:34:00 syr-24-59-77-252 CROND[27498]: (root) CMD ( /usr/share/msec/promisc_check.sh) Sep 29 12:34:06 syr-24-59-77-252 kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth1 SRC=169.254.69.31 DST=169.254.255.255 LEN=144 TOS=0x00 PREC=0x00 TTL=64 ID=12916 DF PROTO=UDP SPT=631 DPT=631 LEN=124 Sep 29 12:34:09 syr-24-59-77-252 kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:01:03:2e:db:63:00:01:42:1d:dd:8c:08:00 SRC=203.197.199.185 DST=24.59.77.252 LEN=445 TOS=0x00 PREC=0x00 TTL=230 ID=47889 PROTO=UDP SPT=32770 DPT=1026 LEN=425 What does it mean? Am I being hacked? Thanks in advance, Dan |
Short answer - No you're not, its a worm. But don't worry.
Long answer - this bit: Sep 29 12:33:59 syr-24-59-77-252 snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 24.59.130.38 -> 24.59.77.252 is the Nachi worm (I think), which Snort detects as Cyberkit 2.2. Your firewall is blocking it and Snort is telling you what it is (albeit in a cack-handed way). Someone using the same ISP is infected with Nachi, which keeps pinging you. If it's possible, block ICMP inbound (no logging either), which should make /messages tidier. |
All times are GMT -5. The time now is 07:20 AM. |