More firewall weirdness -- apparent spoof attempt
David Wolfskill
david at catwhisker.org
Thu Jan 29 06:48:58 PST 2004
>To: baylisa at baylisa.org
>Date: Wed, 28 Jan 2004 08:27:04 -0800
>From: "Wolfgang S. Rupprecht" <wolfgang+gnus-baylisa at dailyplanet.dontspam.wsrcc.com>
>david at catwhisker.org (David Wolfskill) writes:
>> Jan 27 08:46:20 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1026 in via dc0
>Looks like some hack using a UDP packet with a forged source address
>of your interface.
Yup.
>I see similar nonsense in my logs, minus the forged source address.
I'm pretty sure I've seen that before -- it was the forged source
address that caught my eye this time.
>Jan 28 05:17:36 capsicum ipmon[287]: 05:17:35.980390 tlp0 @100:2 b
> dialup-64.156.39.12.Dial1.Denver1.Level3.net[64.156.39.12],666 ->
> sonic.wsrcc.com[208.201.233.172],1026 PR udp len 20 574 IN
>Someone is probing local ports 135/udp and immediately after that
>1026/udp and 1027/udp. The probes always come from 666/udp.
And I don't even bother to log traffic to udp/135 -- I just silently
drop it. (When I'm looking for a needle, I wannt to reduce the size of
the haystack, not increase it. Got a match? :-})
>I wonder if they were trying to hit the nfs/rpc daemons and just
>missed because they move around a bit. Or is this another MS port
>that leads to a buggy daemon and we should get our candles and
>flashlights ready because there is going to be another major power
>failure somewhere?
Dunno; that's one of the reasons I thought posting might be worthwhile.
[Sorry about being a bit sluggish with responses; I've been fairly busy
of late.]
Peace,
david
--
David H. Wolfskill david at catwhisker.org
I do not "unsubscribe" from email "services" to which I have not explicitly
subscribed. Rather, I block spammers' access to SMTP servers I control,
and encourage others who are in a position to do so to do likewise.
More information about the Baylisa
mailing list