Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Strange logs
.

  • To: [EMAIL PROTECTED]
  • Subject: Strange logs
  • From: Devdas Bhagat <[EMAIL PROTECTED]>
  • Date: Mon, 01 Jan 2001 19:42:37 +0100
.
 
I am getting UDP packets from port 137 on various machines to port 53
on my secondary nameserver. 

Jan  1 19:00:02 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote ip:137 my_ip:53 L=61 S=0x00 I=62548 F=0x0000 T=222 (#21) 

Jan  1 19:00:03 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=56959 F=0x0000 T=127 (#21)  

Jan 1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=61 S=0x00 I=62804 F=0x0000 T=222 (#21)  

Jan  1 19:00:04 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=58239 F=0x0000 T=127 (#21)

Jan  1 19:00:05 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=61 S=0x00 I=63060 F=0x0000 T=222 (#21)  

Jan  1 19:00:07 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=60799 F=0x0000 T=127 (#21)  

Jan  1 19:00:08 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=58702 F=0x0000 T=126 (#21)  

Jan  1 19:00:09 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=61311 F=0x0000 T=127 (#21)  

Jan  1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=62286 F=0x0000 T=126 (#21)  

Jan  1 19:00:10 ns2 kernel: Packet log: input DENY eth0 PROTO=17
remote_ip:137 my_ip:53 L=61 S=0x00 I=61823 F=0x0000 T=127 (#21)  

Jan  1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=60 S=0x00 I=64340 F=0x0000 T=222 (#21)  

Jan  1 19:00:11 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip3:137 my_ip:53 L=61 S=0x00 I=64334 F=0x0000 T=126 (#21)  

Jan  1 19:00:13 ns2 kernel: Packet log: input DENY eth0 PROTO=17
rem_ip2:137 my_ip:53 L=60 S=0x00 I=64596 F=0x0000 T=222 (#21) 


These have been coming continuously since morning (about 9 hrs now), and
currently form half my logfile (rotated on Sunday at 4 am). No such
traces on the primary nameserver, and I use the same rules on both. Any
explanations of what this could be?
An attempted exploit or just a misconfigured File and Print share
(given the originating port)?

Devdas Bhagat 
--
Age, n.:
	That period of life in which we compound for the vices that we
	still cherish by reviling those that we no longer have the enterprise
	to commit.
		-- Ambrose Bierce
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.