I'd guess someone is tryng to exploit you. I'd say let it through and, on your firewall, route it to a blackhole. Gabe On Wed, Nov 22, 2000 at 08:19:35AM -0600, Clay Fandre wrote: > I'm getting tons of denies on my firewall/Masq box on my DSL line which > is using IPChains to filter out almost everything. I want to make it > stop because it's filling up my logs. (No, I don't want to turn of > logging) I'm assuming it's doing a DNS query since it's coming from port > 53, but don't really know why. My firewall box is a DNS server, but only > for my internal non-routable network. Anyone have any ideas? > > Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64810 F=0x0000 > T=47 (#32) > Nov 22 08:02:27 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64811 F=0x0000 > T=47 (#32) > Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64812 F=0x0000 > T=47 (#32) > Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=161 S=0x00 I=64813 F=0x0000 > T=47 (#32) > Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64814 F=0x0000 > T=47 (#32) > Nov 22 08:02:28 maddog.matrix.comp kernel: Packet log: input DENY eth1 > PROTO=17 217.24.32.10:53 64.6.191.90:1030 L=182 S=0x00 I=64815 F=0x0000 > T=47 (#32) > > This has been going on for a few days now and my log files are growing. > Any idea what the ch top-level domain is? Any idea what it's doing? I > assume it's trying to resolve an address of mine, but I'm blocking it. > Why doesn't it time out? > > > After a little bit of investigation I find out it's a SuSe Linux box and > has a LOT running. There's got to be a exploit in here somewhere... > # nmap -O -sS -v -v smtp.bycom.ch > > Starting nmap V. 2.12 by Fyodor (fyodor at dhp.com, www.insecure.org/nmap/) > Host smtp.bycom.ch (217.24.32.10) appears to be up ... good. > Initiating SYN half-open stealth scan against smtp.bycom.ch > (217.24.32.10) > Adding TCP port 139 (state Firewalled). > Adding TCP port 22 (state Open). > Adding TCP port 53 (state Open). > Adding TCP port 21 (state Open). > Adding TCP port 25 (state Open). > Adding TCP port 138 (state Firewalled). > Adding TCP port 110 (state Open). > Adding TCP port 80 (state Open). > The SYN scan took 9 seconds to scan 1483 ports. > For OSScan assuming that port 21 is open and port 38683 is closed and > neither are firewalled > Interesting ports on smtp.bycom.ch (217.24.32.10): > Port State Protocol Service > 21 open tcp ftp > 22 open tcp ssh > 25 open tcp smtp > 53 open tcp domain > 80 open tcp http > 110 open tcp pop-3 > 138 filtered tcp netbios-dgm > 139 filtered tcp netbios-ssn > > TCP Sequence Prediction: Class=random positive increments > Difficulty=2124463 (Good luck!) > > Sequence numbers: C11B739 C6C2B3E CCCC545 C94066C C82B80A CEBC354 > Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - > 2.2.2 > OS Fingerprint: > TSeq(Class=RI%gcd=1%SI=206AAF) > T1(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW) > T2(Resp=N) > T3(Resp=Y%DF=Y%W=7C38%ACK=S++%Flags=AS%Ops=MENNTNW) > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) > T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) > PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) > > > Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds > > # telnet smtp.bycom.ch 25 > Trying 217.24.32.10... > Connected to smtp.bycom.ch. > Escape character is '^]'. > 220 ns1.bycom.ch ESMTP Sendmail 8.10.2/8.10.2/SuSE Linux 8.10.0-0.3; > > # telnet smtp.bycom.ch 110 > Trying 217.24.32.10... > Connected to smtp.bycom.ch. > Escape character is '^]'. > +OK QPOP (version 2.53) at ns1.bycom.ch starting. > <24291.974902011 at ns1.bycom.ch> > Wed, 22 Nov 2000 15:04:25 +0100 > > # ftp smtp.bycom.ch > Connected to smtp.bycom.ch. > 220 ns1.bycom.ch FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready. > Name (smtp.bycom.ch:): > > # nslookup - smtp.bycom.ch > Default Server: smtp.bycom.ch > Address: 217.24.32.10 > > > ls bycom.ch > [smtp.bycom.ch] > bycom.ch. server = ns1.bycom.ch > bycom.ch. server = pdc.bycom.ch > bycom.ch. 217.24.32.11 > bycom.ch. 217.24.32.19 > bycom.ch. 217.24.32.139 > bycom.ch. 217.24.32.12 > bsl-du-l9 217.24.32.88 > bsl-bsl-dt00-loc 217.24.32.112 > smtp 217.24.32.10 > bsl-bsl-st00-loc 217.24.32.110 > bslst00 217.24.32.145 > bsl-wlf-pk00-loc 217.24.32.2 > bsldt00 217.24.32.140 > bslma00 217.24.32.169 > bslut00 217.24.32.141 > bslgs00 217.24.32.18 > bslad100 217.24.32.156 > bslgs01 217.24.32.21 > bsl-du1 217.24.32.79 > mail 217.24.32.10 > bslad300 217.24.32.157 > bslsh00 217.24.32.146 > bslpk00 217.24.32.185 > bslme00 217.24.32.154 > pdc 217.24.32.11 > pdc 217.24.32.139 > bsltb00 217.24.32.148 > bslrr00 217.24.32.150 > gc._msdcs 217.24.32.139 > gc._msdcs 217.24.32.11 > bslpdc 217.24.32.12 > ns1 217.24.32.10 > bslbkp00 217.24.32.19 > bsl-wl-dt00 192.168.0.111 > bsl-du-l10 217.24.32.89 > bsl-du-l11 217.24.32.90 > bsl-du-l12 217.24.32.91 > bsl-du-l13 217.24.32.92 > bsl-bsl-uu00-loc 217.24.32.1 > bslprt1 192.168.0.200 > bsl-du-l14 217.24.32.93 > bsl-du-l15 217.24.32.94 > bslprt3 192.168.0.202 > bsl-pdc 217.24.32.152 > bsl-du-l16 217.24.32.95 > bsl-du-l17 217.24.32.96 > bslprt5 192.168.0.204 > bslem00 217.24.32.158 > bsl-du-l18 217.24.32.97 > bsl-du-l20 217.24.32.99 > ts00 217.24.32.15 > bsl-du-l19 217.24.32.98 > bsl-du-l21 217.24.32.100 > bsl-du-l22 217.24.32.101 > bslad200 217.24.32.153 > bsl-du-l23 217.24.32.102 > bsl-du-l24 217.24.32.103 > bsl-du-l25 217.24.32.104 > bsl-du-l26 217.24.32.105 > bsl-du-l27 217.24.32.106 > bsl-du-l30 217.24.32.109 > bsl-du-l28 217.24.32.107 > wlf-wl-pk00 192.168.0.110 > bsl-du-l29 217.24.32.108 > sirdir-piiid 217.24.47.40 > bsl-bsl-dt00-rem 217.24.32.113 > abcfs00 217.24.32.16 > bslad400 217.24.32.159 > bsl-bsl-mci00 217.24.32.1 > bsl-wlf-pk00-rem 217.24.47.33 > bsl-wl-bc00 192.168.0.100 > bsl-wl-bc01 192.168.0.101 > www 217.24.32.14 > bslrc00 217.24.32.155 > bslmf00 217.24.32.143 > bsl-du-l1 217.24.32.80 > bsl-bsl-me00-loc 217.24.32.111 > bsl-du-l2 217.24.32.81 > bsl-du-l3 217.24.32.82 > bsl-du-l4 217.24.32.83 > bsl-du-l5 217.24.32.84 > bsl-du-l6 217.24.32.85 > bsl-du-l7 217.24.32.86 > bsl-du-l8 217.24.32.87 > _______________________________________________ > tclug-list mailing list > tclug-list at lists.real-time.com > https://mailman.real-time.com/mailman/listinfo/tclug-list -- -------------------------------------------------------------------------------- Gabe Turner | X-President, UNIX Systems Administrator, | Assoc. for Computing Machinery U of M Supercomputing Institute for | University of Minnesohta Digital Simulation and Advanced Computation | dopp at acm.cs.umn.edu "Oh my beloved ice cream bar!! How I love to like your creamy center! Howm! Howm! Howm!! And your oh-so-nutty chocolate covering!!" - Commander Hoek (Ren) in "Space Madness" --------------------------------------------------------------------------------