Stephen Gran on 2 Aug 2004 14:27:03 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] what's this?


On Mon, Aug 02, 2004 at 07:31:53AM -0400, eric@lucii.org said:
> On Sun, Aug 01, 2004 at 05:55:41PM -0400, Kam Salisbury wrote:
> > On Sun, 2004-08-01 at 17:00, eric@lucii.org wrote:
> > > 
> > > Aug  1 16:07:17 polaris kernel: denylog:IN=eth1 
> > >         OUT= MAC=NN:NN:NN:NN:NN:NN:00:01:5c:22:00:02:08:00 
> > >         SRC=68.111.197.211 DST=68.34.XXX.YYY LEN=48 TOS=0x00 
> > >         PREC=0x00 TTL=110 ID=10932 DF PROTO=TCP SPT=3811 
> > >         DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0
> > 
> > It would seem that the Dabber worm is trying to see if there is a 
> > Sasser worm on your IP to take advantage of. 
> 
> Thanks.  That puts my mind at ease (for now).  I could not tell if
> there was something _inside_ my network trying to get out...
> after all, there are some Windows machines in the house :-D

SRC=68.111.197.211 tells you where the packet comes from, and IN=eth1
tells you what interface it hit.
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | Somehow I reached excess without ever   |
|  steve@lobefin.net             | noticing when I was passing through     |
|  http://www.lobefin.net/~steve | satisfaction.   -- Ashleigh Brilliant   |
 --------------------------------------------------------------------------

Attachment: pgpjEptRb3TJK.pgp
Description: PGP signature