[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-router
Subject: Re: [LRP] Confusing log entry, need H-E-L-P
From: Peter Nosko <peter_nosko () yahoo ! com>
Date: 2001-05-30 20:43:07
[Download RAW message or body]
--- "Scott C. Best" <sbest@best.com> wrote:
> Heya. I plugged these logs into the log processor at
> http://www.echogent.com/cgi-bin/fwlog.pl just to be sure it
> knew about them. So, thanks for the testing data. :) Both of
> these packets are known fingerprints of trojan's for Windows.
> The 27374 one is very likely Sub-7 (which I've seen a lot of
> lately), and the 555 one is known for "phAse zero" (see
> http://home.tiscalinet.be/bchicken/trojans/phase%20zero/).
>
> The interesting tidbit is that it the packets showed up
> on your 'eth2" interface, headed for your DMZ box, but were
> caught by a rule in the forward chain. So, I presume that in
> your network the 'eth2' interface is your DMZ interface, and
> the main Internet interface (eth0 perhaps?) doesn't have a
> firewall rule that catches these sorts of packets.
pn] Well, I'm going to have to do some checking indeed. But what still have me confused is this.
My only two DMZ machines were undergoing maintenance and were POWERED OFF during these times.
Nothing else exists on the DMZ, except of course the eth2 gateway in the router. This was logged
on the router as a Forward Deny. The log entry below must mean it wanted to be *forwarded* to
eth2, not that it came in via eth2 (which again isn't possible since everything on the other side
of eth2 was powered off).
> May 28 06:55:05 lrp1 kernel: Packet log: forward DENY eth2 PROTO=6 209.116.121.144:4737
10.4.2.10:555 L=60 S=0x00 I=35754 F=0x4000 T=52 SYN (#13)
=====
-----
Peter Nosko (peter_nosko@yahoo.com)
This is a good place for a tagline.
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
_______________________________________________
linux-router maillist - linux-router@linuxrouter.org
http://www.linuxrouter.org/mailman/listinfo/linux-router
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic