l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2001 Dec 30 17:06

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Attempted access -- I think
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Attempted access -- I think



Thanks for the help, Jeff.

jdnewmil@dcn.davis.ca.us wrote:
> 
> On Wed, 13 Jun 2001, Cam Ellison wrote:
> 
<snip>
> 
> Looks like it.
> 
> > >
> > >
> > >   ------------------------------------------------------------------------
> > >
> > > Jun 13 16:44:28 treehouse kernel: Packet log: eth-in DENY eth1
> > > PROTO=17 192.168.177.11:67 255.255.255.255:68 L=328 S=0x00 I=48460
> > > F=0x0000 T=128 (#1)
> 
> This is a dhcp reply (bootp). In isolation, nothing to worry about, but
> when you consider the source address is private, it starts to look kind of
> weird...

I agree.  I am running dhcp, of course, but the client, not the server. 
Should I assume that someone has been messing around in my machine, and
that the other host is trying to re-establish connection?

> 
> > > Jun 13 17:08:47 treehouse kernel: Packet log: eth-in DENY eth1
> > > PROTO=17 192.168.0.1:5005 255.255.255.255:5005 L=44 S=0x00 I=27137
> > > F=0x0000 T=128 (#1)
> 
> ... and this is an odd one... broadcast to 5005...  examine the output of
> "netstat -ua" to see if treehouse would have responded to this, and use
> "lsof -i :5005" to find out which process(es) is(are) handling that port.
> 

Nothing is using that port.  Netstat indicates the following processes:
netbios-dgm
netbios-ns
ntalk
talk
discard
sunrpc

I know I did not install talk deliberately, and assume it was installed
by the distribution I use [Debian as repackaged by Libranet].  I cannot
see that it would have anything to do with this, however -- or am I
wrong in assuming that?

I did not have lsof on the system, so had to download and install it.  I
think we can assume it is clean.  It indicates that the only specific
ports are 6000 and 7101.

There are some other odd ports in the syslog entries: 1052, 3008, 3033,
3829.  None of these have any referents in /etc/services

<snip>
> 
> The fact that these are not directed at your ip address in particular is a
> little comforting, but someone is playing strange games.
> 

Clearly.  What I am still unclear about is whether this means someone is
trying to get accesss to my system, or more importantly, has succeeded.

What else whould I look at?

Cam


-- 
Cam Ellison Ph.D. R.Psych.
>From Roberts Creek on B.C.'s incomparable Sunshine Coast
camellison@dccnet.com
cam@fleuryassociates.com


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.