Find the answer to your Linux question:
Results 1 to 8 of 8
Code: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=218.1.204.246 DST=75.32.21.66 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=43467 PROTO=UDP SPT=10512 DPT=25076 LEN=106 SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=212.91.190.84 DST=75.32.21.66 LEN=126 TOS=0x00 PREC=0x00 TTL=102 ID=42352 PROTO=UDP SPT=58855 DPT=25076 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414

    Is this a hack


    Code:
    SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=218.1.204.246 DST=75.32.21.66 LEN=126 TOS=0x00 PREC=0x00 TTL=115 ID=43467 PROTO=UDP SPT=10512 DPT=25076 LEN=106 
    SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=212.91.190.84 DST=75.32.21.66 LEN=126 TOS=0x00 PREC=0x00 TTL=102 ID=42352 PROTO=UDP SPT=58855 DPT=25076 LEN=106
    I have lines like this repeated dozens of times in the output of dmesg.

    Is someone attacking me?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  2. #2
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Now I see this,
    Code:
    SFW2-OUT-ERROR IN= OUT=dsl0 SRC=75.17.114.197 DST=204.152.184.40 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29456 DF PROTO=TCP SPT=3450 DPT=80 WINDOW=2046 RES=0x00 ACK FIN URGP=0 OPT (0101080A000220A9A64E95AE) 
    SFW2-OUT-ERROR IN= OUT=dsl0 SRC=75.17.114.197 DST=204.152.184.40 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29457 DF PROTO=TCP SPT=3450 DPT=80 WINDOW=2046 RES=0x00 ACK FIN URGP=0 OPT (0101080A000220DFA64E95AE) 
    SFW2-OUT-ERROR IN= OUT=dsl0 SRC=75.17.114.197 DST=204.152.184.40 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29458 DF PROTO=TCP SPT=3450 DPT=80 WINDOW=2046 RES=0x00 ACK FIN URGP=0 OPT (0101080A0002214BA64E95AE) 
    SFW2-OUT-ERROR IN= OUT=dsl0 SRC=75.17.114.197 DST=204.152.184.40 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29459 DF PROTO=TCP SPT=3450 DPT=80 WINDOW=2046 RES=0x00 ACK FIN URGP=0 OPT (0101080A00022223A64E95AE) 
    SFW2-OUT-ERROR IN= OUT=dsl0 SRC=75.17.114.197 DST=204.152.184.40 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=29460 DF PROTO=TCP SPT=3450 DPT=80 WINDOW=2046 RES=0x00 ACK FIN URGP=0 OPT (0101080A000223D3A64E95AE)
    "OUT=dsl0" scares me.

    Is something nasty going on?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #3
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    I have a theory that this is my ISP pinging my DSL box to see if I'm online, in order to minimise their resource use. Does this sound reasonable, especially since I'm getting hit by this once every couple of minutes?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Anyone any ideas about this?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  6. #5
    Linux User
    Join Date
    Aug 2005
    Posts
    408
    I don't really know the answer, personally, but I checked the output of dmesg and I have similar messages. Here's one example:
    Code:
    SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.2 DST=67.15.52.42 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=17955 DF PROTO=TCP SPT=21224 DPT=80 WINDOW=6432 RES=0x00 ACK FIN URGP=0
    The "OUT=eth0" is the interface being used. The "SRC=..." is my ip address (given out via dhcp by a router). The "DST=..." is the destination ip address. The "DPT=..." (and this is a guess) most likely refers to port 80, which internet browsing goes through typically. I'm guessing this is just firefox output. I don't know what the other pieces of info are.

    Oh yeah, and of course the protocol is TCP/IP.

    Outside of the "ERROR" at the front, it all looks pretty standard to me.

  7. #6
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    682
    In your first post you have UDP (PROTO=UDP) traffic coming into your PC from a high port (not unusual) to a high port (quite unusual) one from China and one from Russia. However a five minute google didn't turn up anything interesting. I'd say that whatever is in those packets, you are better off not getting them, on the other hand, they are getting dropped at the firewall so you should be OK.

    Your second post is outgoing TCP traffic to port 80. Web traffic to isc.org. These packets in particular would appear to be your computer finishing downloading something. The server will send a FIN to drop the connection and your computer will respond FIN ACK to say you recieved it. The FIN ACK packets are the ones showing up in your firewall. The firewall seems to be picking up an error in them.

    Your ISP wouldn't use TCP or UDP to ping you. They would use the ICMP protocol if anything but even that would be unreliable from their perspective.

    If you have anymore questions then post them here and we will try to help, in the meantime I don't think you've got anything to worry about.

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  8. #7
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks for the replies guys -- I appreciate you looking stuff up for me, as I had no idea where to start.

    So this is standard firewall output due to (possibly) a couple of attacks from Russia/China (did you find that out by trying to resolve the IP addresses?) that my firewall is dropping, plus some error from firefox.

    The reason I was worrying is that I intend to start an ssh server on that machine, and I am a little paranoid about attacks.

    Thanks again for your help.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  9. #8
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    682
    Yes, I resolved the IP addresses to find out where they came from.

    Code:
    dig PTR 40.184.152.204.in-addr.arpa
    I ran a ssh server for a while too. If you leave it on the standard port then you will probably find a lot of log messages from automated attacks trying to login to common accounts. If you move it then it will cut them down. Not a serious security protection but it will cut out some false positives.

    Let us know how you get on.

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •