LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-29-2003, 01:32 PM   #1
KingofBLASH
Member
 
Registered: Sep 2003
Distribution: Just upgraded to Slackware 10.0
Posts: 91

Rep: Reputation: 15
Exclamation Weird Logs: Am I being hacked?


The following lines are appearing over and over again in my /var/log/messages:

Sep 29 12:33:59 syr-24-59-77-252 kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:01:03:2e:db:63:00:01:42:1d:dd:8c:08:00 SRC=24.59.130.38 DST=24.59.77.252 LEN=92 TOS=0x00 PREC=0x00 TTL=121 ID=26724 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43905
Sep 29 12:33:59 syr-24-59-77-252 snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 24.59.130.38 -> 24.59.77.252
Sep 29 12:34:00 syr-24-59-77-252 CROND[27498]: (root) CMD ( /usr/share/msec/promisc_check.sh)
Sep 29 12:34:06 syr-24-59-77-252 kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth1 SRC=169.254.69.31 DST=169.254.255.255 LEN=144 TOS=0x00 PREC=0x00 TTL=64 ID=12916 DF PROTO=UDP SPT=631 DPT=631 LEN=124
Sep 29 12:34:09 syr-24-59-77-252 kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:01:03:2e:db:63:00:01:42:1d:dd:8c:08:00 SRC=203.197.199.185 DST=24.59.77.252 LEN=445 TOS=0x00 PREC=0x00 TTL=230 ID=47889 PROTO=UDP SPT=32770 DPT=1026 LEN=425

What does it mean? Am I being hacked?

Thanks in advance,

Dan
 
Old 09-29-2003, 02:38 PM   #2
frogman
Member
 
Registered: Sep 2003
Distribution: Mandrake, Slack, Debian and PicoBSD
Posts: 181

Rep: Reputation: 31
Short answer - No you're not, its a worm. But don't worry.

Long answer - this bit:

Sep 29 12:33:59 syr-24-59-77-252 snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} 24.59.130.38 -> 24.59.77.252

is the Nachi worm (I think), which Snort detects as Cyberkit 2.2. Your firewall is blocking it and Snort is telling you what it is (albeit in a cack-handed way).

Someone using the same ISP is infected with Nachi, which keeps pinging you.

If it's possible, block ICMP inbound (no logging either), which should make /messages tidier.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
are these logs weird? simcox1 Linux - Security 6 11-29-2005 01:22 PM
Weird MAC address in logs tangle Linux - Security 6 06-30-2005 05:54 PM
httpd weird logs dominant Linux - Security 3 02-08-2005 05:42 AM
apache logs, seeing weird things sal_paradise42 Linux - Networking 3 01-09-2004 04:45 PM
Weird Logs: Am I being hacked? KingofBLASH Slackware 2 09-29-2003 01:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration