Re: [Alug] firewall messages

2 Jul 2001

      Joss Winn wrote:

Joss,

Here's the important bit snipped from your dmesg:

SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60
TOS=0x00 PREC=0x00 TTL=51 ID=25574 DF PROTO=TCP SPT=2869 DPT=111 WINDOW=32120
RES=0x00 SYN URGP=0 OPT (020405B40402080A052D45600000000001030300) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=66.9.192.39 DST=211.2.96.188 LEN=60
TOS=0x00 PREC=0x00 TTL=51 ID=26704 DF PROTO=TCP SPT=2869 DPT=111 WINDOW=32120
RES=0x00 SYN URGP=0 OPT (020405B40402080A052D468C0000000001030300) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=203.239.87.52 DST=211.2.96.188 LEN=60
TOS=0x00 PREC=0x00 TTL=49 ID=52626 DF PROTO=TCP SPT=2831 DPT=53 WINDOW=32120
RES=0x00 SYN URGP=0 OPT (020405B40402080A03D5A0850000000001030300) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188
LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=9147 PROTO=TCP SPT=4502 DPT=21
WINDOW=34930 RES=0x00 SYN URGP=0 OPT
(0204052A010303030101080A000000000000000001010000) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188
LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=9552 PROTO=TCP SPT=4502 DPT=21
WINDOW=34930 RES=0x00 SYN URGP=0 OPT
(0204052A010303030101080A000000000000000001010000) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=211.104.247.142 DST=211.2.96.188
LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=10341 PROTO=TCP SPT=4502 DPT=21
WINDOW=34930 RES=0x00 SYN URGP=0 OPT
(0204052A010303030101080A000000000000000001010000) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=64.221.103.230 DST=211.2.96.188
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=7825 DF PROTO=TCP SPT=1150 DPT=211
WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A0009DFB00000000001030300) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=200.197.200.131 DST=211.2.96.188
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=32871 DF PROTO=TCP SPT=4284 DPT=111
WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A0DF27DB40000000001030300) 
SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=200.197.200.131 DST=211.2.96.188
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=34684 DF PROTO=TCP

Look for DPT= to see what they were after. Y0u have:

111 (Sun RPC)
53 (DNS)
21 (FTP)
211 (Texas Instruments 914C/G Terminal) [whatever that is]

Depending on the source IP (SRC=xx.xx.xx.xx) they may or may not be malicious.
I suspect the latter, myself.

Cheers, Laurie.
-- 
---------------------------------------------------------------------
                               Laurie Brown
                           laurie@brownowl.com
                     PGP key at http://pgpkeys.mit.edu:11371
---------------------------------------------------------------------