LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] Problems With a Hacker - Can anyone tell me if
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-07-2020, 09:24 PM   #1
Jeff Maxwell
LQ Newbie
 
Registered: Mar 2019
Posts: 14

Rep: Reputation: Disabled
Problems With a Hacker - Can anyone tell me if

If the following journal entries appear to be someone trying to get in or something else?

Thanks ahead of time.
Max

2/7/20 10:03 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:48:5d:36:22:ec:46:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=25057 DF PROTO=2
2/7/20 10:03 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=2452 PROTO=2
2/7/20 10:04 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=51917 PROTO=2
2/7/20 10:05 PM CRON pam_unix(cron:session): session opened for user root by (uid=0)
2/7/20 10:05 PM CRON pam_unix(cron:session): session opened for user root by (uid=0)
2/7/20 10:05 PM CRON (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[[:space:]]*[^#]*[[:space:]]*WorkDir' /etc/mrtg.cfg | awk '{ print $NF }')" ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)
2/7/20 10:05 PM CRON (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2/7/20 10:05 PM CRON pam_unix(cron:session): session closed for user root
2/7/20 10:05 PM CRON pam_unix(cron:session): session closed for user root
2/7/20 10:05 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:48:5d:36:22:ec:46:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=24890 DF PROTO=2
2/7/20 10:05 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11854 PROTO=2
2/7/20 10:06 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=8731 PROTO=2
2/7/20 10:07 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:48:5d:36:22:ec:46:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=5370 DF PROTO=2
2/7/20 10:07 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=45259 PROTO=2
2/7/20 10:08 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=16325 PROTO=2
2/7/20 10:09 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=35737 PROTO=2
2/7/20 10:09 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:48:5d:36:22:ec:46:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=23521 DF PROTO=2
 
Old 02-07-2020, 09:35 PM   #2
frankbell
LQ Guru
Contributing Member
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,311
Blog Entries: 28

Rep: Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137Reputation: 6137
Random port scans maybe?
 
1 members found this post helpful.
Old 02-08-2020, 05:03 AM   #3
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Looks harmless to me (famous last words, haha).
I have similar output showing up all the time, I think my router is doing that.
 
Old 02-08-2020, 06:51 AM   #4
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,780

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
A similar case at https://askubuntu.com/questions/2789...s-in-my-syslog

Quoting the answer from there:
Quote:
Originally Posted by Salt
I believe you have some service on your local network that is advertising itself or looking for clients. It's your "default deny incoming" rule that's blocking this traffic. Yours looks much like persistent noise I see on my home network, caused by a Multicast DNS server in my router.

mDNS multicasts to 224.0.0.251, so that's not what yours is. You have something multicasting to 224.0.0.1, a generic "all hosts" address.
In this case, I see both 224.0.0.251 and 224.0.0.1.
 
Old 02-08-2020, 12:09 PM   #5
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,726

Rep: Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211Reputation: 2211
I learn something every day here.
These addresses are reserved for "multicast" assignments. They appear to be similar to the "private" addresses starting with 192., 10., etc. in that what they're used for is reserved.

What they mean on your 'puter would require a greater understanding than I have, or care to research. I do note that they appear to be "DST" (destination?) addresses from the SRC IP 192.168.1.206 (is that your 'puter?) -- but I'm not sure of that, given ntubski's comment.
 
Old 02-14-2020, 07:26 PM   #6
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware64-15.0
Posts: 6,371

Rep: Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748
Your router appears to have IGMP snooping enabled.
 
1 members found this post helpful.
Old 02-14-2020, 08:38 PM   #7
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,883
Blog Entries: 13

Rep: Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930Reputation: 4930
192.168.1.x addresses are typically what are assigned to and by your local router.

xxx.1 IS the router.

Figure out what xxx.206 is, probably some other computer in the area, that is part of your network. Or, might even be your system itself.

The 224.0.0.1 and 251 addresses are likely the gateway and DNS maybe for your ISP.

Why not look at what your router is doing before getting too paranoid.

For that matter, detach from your ISP so that it is only your local home network by itself. Reboot all things, and then see what you get.
 
1 members found this post helpful.
Old 02-15-2020, 08:57 AM   #8
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware64-15.0
Posts: 6,371

Rep: Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748Reputation: 2748
Quote:
2/7/20 10:03 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:48:5d:36:22:ec:46:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=25057 DF PROTO=2
2/7/20 10:03 PM kernel [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:fb:78:88:6d:e8:59:a4:08:00 SRC=192.168.1.206 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=2452 PROTO=2
PROTO 2 is IGMP
The host at 192.168.1.1 is sending a standard query. From RFC 1112 in the link above:
Quote:
Multicast routers send Host Membership Query messages (hereinafter
called Queries) to discover which host groups have members on their
attached local networks. Queries are addressed to the all-hosts
group (address 224.0.0.1), and carry an IP time-to-live of 1.
The host at 192.168.1.206 appears to be misconfigured.
Last edited by allend; 02-15-2020 at 08:58 AM.
 
2 members found this post helpful.
Old 02-17-2020, 10:57 AM   #9
g4njawizard
Member
 
Registered: Feb 2020
Posts: 41

Rep: Reputation: Disabled
Funny.. I encountered the same question. But searching for the addresses appearing in my UFW BLOCK notification. It was clear that i where just a multicast and nothing malicious.
But I am glad to see that other people encounter the same notification.
 
Old 02-17-2020, 08:15 PM   #10
Jeff Maxwell
LQ Newbie
 
Registered: Mar 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thank you everyone for all the input.
I'm just trying to cross my "t"'s and dot my "i"'s regarding this issue.
There is actually a person of interest, who honestly could be making attempts.
I merely want to be sure I didn't miss anything obvious to someone with more experience in understanding these things.

Thank you all.

Max
 
Old 02-20-2020, 07:30 PM   #11
Minux1
Member
 
Registered: Feb 2020
Posts: 36

Rep: Reputation: Disabled
Amazes me that some who purport to be experienced Linux users don’t even know if their firewall is switched on or not.
This is observation not conjecture.
 
Old 02-22-2020, 02:12 AM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by Minux1 View Post
Amazes me that some who purport to be experienced Linux users don’t even know if their firewall is switched on or not.
This is observation not conjecture.
Is this in relation to something written in this thread?
Because I don't see the connection.
Which purportedly experienced Linux users in this thread has written something that shows that they don't know if their firewall is "switched on" (*) or not?

(*) BTW, that's not a good term to use because the way iptables is baked into the kernel, it's never really "switched" on or off, it's always there and it's up to the user to make it more restrictive.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Open Source History: Tracing the Origins of Hacker Culture and the Hacker Ethic LXer Syndicated Linux News 0 04-29-2015 08:40 PM
somebody can tell me why . tell me how i can slove this problem xiongzhongkai Linux - Newbie 4 08-26-2008 01:51 AM
can you tell me what operting system the best for what i tell you here ? thanks SlackwareMan Linux - General 5 07-27-2004 02:24 PM
No end of problems... can anyone tell me... justinsleary Linux - Newbie 8 10-06-2003 12:32 AM
How to tell if your son is a hacker - Complete Bull$hit!!! 2kool General 22 05-06-2002 04:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:05 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration