|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
On Sun, 2004-08-01 at 17:00, eric@lucii.org wrote:
> My firewall (SME Server - formerly e-smith) has a bunch of messages
> like this in the /var/log/messages:
>
> Aug 1 16:07:17 polaris kernel: denylog:IN=eth1
> OUT= MAC=NN:NN:NN:NN:NN:NN:00:01:5c:22:00:02:08:00
> SRC=68.111.197.211 DST=68.34.XXX.YYY LEN=48 TOS=0x00
> PREC=0x00 TTL=110 ID=10932 DF PROTO=TCP SPT=3811
> DPT=5554 WINDOW=64240 RES=0x00 SYN URGP=0
>
> Where NN:NN:NN:NN:NN:NN is my external ethernet card's MAC address
> and 68.34.XXX.YYY is the external ethernet card's IP address.
>
> Looks like the firewall is rejecting something - but I'm not 100%
> certain what's happening here. Is there some sort of internet
> attack taking place?
>
>
> Eric
Eric, DPT=5554 would be the port being blocked right? Take a look at http://isc.incidents.org/port_details.php?port=5554
It would seem that the Dabber worm is trying to see if there is a Sasser worm on your IP to take advantage of.
--
Kam Salisbury
http://kamsalisbury.com
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|