I''m getting 2 or three of these a day...Any ideas ? The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1 active Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] ] This is the same type activity when Tom had guessed that I had been compromised before - Tripwire says NO I have NOT been compromised as well as anything else I can check says everything is still safe. This box is a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8. The box has been up 185 days straight (replaced UPS batteries) without a hiccup the 192.168.250.zz is in my DMZ on eth0 That DMZ box is a SuSE 9.0 Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without any log entries except for me to get NTP working (and I don''t have it yet...) The 66.228.216.22 is "SexTraffic.com" site that apparently tries to enlist webmasters to "sign up" for pay site portals... What in the dickens are they doing ?
--- Bill.Light@kp.org wrote: PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22> DST=192.168.250.zzI don''t know what to say about your mysterious network but this is what these icmp messages mean: ICMP TYPE=3 CODE=1 Destination Unreachable .... Host Unreachable Why a public ip would be sending an ICMP message to an RFC1918 address is beyond me. I can only guess that your using some app possibly that is imbedding its private lan address in the payload of the packet before being natted out through the firewall. So the packet is seen as coming from your public ip address (like normal) but the actual payload/data in the packet is tagged with the private ip address using what-ever app. its using to communicate with the (also) mysterious SEX sever. Heh.. Heh... :P Thats only a guess though. But I figured I would entertain the mystery anyways. If your real serious/curious, you should packet sniff off your external interface and internal interface at the same time to see whats happening for sure. HTH''s JBanks __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
On Mon, 2003-12-01 at 18:04, Bill.Light@kp.org wrote:> I''m getting 2 or three of these a day...Any ideas ? > > The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1 > active > > Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 > ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz > LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] ] > > This is the same type activity when Tom had guessed that I had been > compromised before - Tripwire says NO I have NOT been compromised as well > as anything else I can check says everything is still safe. This box is > a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8. The box > has been up 185 days straight (replaced UPS batteries) without a hiccup > the 192.168.250.zz is in my DMZ on eth0 That DMZ box is a SuSE 9.0 > Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without > any log entries except for me to get NTP working (and I don''t have it > yet...) > > The 66.228.216.22 is "SexTraffic.com" site that apparently tries to > enlist webmasters to "sign up" for pay site portals... > > What in the dickens are they doing ?Do you have any DNAT rules with 192.168.250.zz as the target? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-12-01 at 18:04, Bill.Light@kp.org wrote:> I''m getting 2 or three of these a day...Any ideas ? > > The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1> active > > Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN=OUT=eth0> SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 > ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz > LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes]]> > This is the same type activity when Tom had guessed that I had been > compromised before - Tripwire says NO I have NOT been compromised aswell> as anything else I can check says everything is still safe. This boxis> a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8. Thebox> has been up 185 days straight (replaced UPS batteries) without a hiccup > the 192.168.250.zz is in my DMZ on eth0 That DMZ box is a SuSE 9.0 > Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without > any log entries except for me to get NTP working (and I don''t have it > yet...) > > The 66.228.216.22 is "SexTraffic.com" site that apparently tries to > enlist webmasters to "sign up" for pay site portals... > > What in the dickens are they doing ?Do you have any DNAT rules with 192.168.250.zz as the target? -Tom =============================================================== Sure do.... Real IP DNAT to 192.168.250.zz Real IP+1 DNAT to 192.168.250.zz+1 Real IP +2 DNAT to 192.168.250.zz+2 Until I re-do the IP routing that you suggested for this 5 IP setup of SBC - Bill
On Tue, 2003-12-02 at 11:39, Bill.Light@kp.org wrote:> On Mon, 2003-12-01 at 18:04, Bill.Light@kp.org wrote: > > I''m getting 2 or three of these a day...Any ideas ? > > > > The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1 > > > active > > > > Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= > OUT=eth0 > > SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 > > ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz > > LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] > ] > > > > This is the same type activity when Tom had guessed that I had been > > compromised before - Tripwire says NO I have NOT been compromised as > well > > as anything else I can check says everything is still safe. This box > is > > a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8. The > box > > has been up 185 days straight (replaced UPS batteries) without a hiccup > > the 192.168.250.zz is in my DMZ on eth0 That DMZ box is a SuSE 9.0 > > Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without > > any log entries except for me to get NTP working (and I don''t have it > > yet...) > > > > The 66.228.216.22 is "SexTraffic.com" site that apparently tries to > > enlist webmasters to "sign up" for pay site portals... > > > > What in the dickens are they doing ? > > Do you have any DNAT rules with 192.168.250.zz as the target? > > -Tom > > ===============================================================> > Sure do.... > > Real IP DNAT to 192.168.250.zz > Real IP+1 DNAT to 192.168.250.zz+1 > Real IP +2 DNAT to 192.168.250.zz+2 > > Until I re-do the IP routing that you suggested for this 5 IP setup of SBCHere''s my best guess -- Because of the DNAT, a connection from 66.228.216.22 -> <Real IP> would be directed to 192.168.250.zz. Since 192.168.250.zz isn''t active, your firewall isn''t able to reach it so it is trying to return a <host unreachable> ICMP. The original packet hasn''t yet been "un-natted" so you are still seeing the the confusing destination address 192.168.250.zz rather that "My.real.IP.addr". Because a connection hasn''t yet been established, the ICMP isn''t related to an existing connection so it is being blocked. You can eliminate these annoying messages by adding this to your /etc/shorewall/start file: run_iptables -I OUTPUT 3 -p icmp -j ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-12-02 at 12:47, Tom Eastep wrote:> > You can eliminate these annoying messages by adding this to your > /etc/shorewall/start file: > > run_iptables -I OUTPUT 3 -p icmp -j ACCEPT >Or, more conventionally, by adding this rule: ACCEPT $FW net icmp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-12-02 at 12:47, Tom Eastep wrote:> > You can eliminate these annoying messages by adding this to your > /etc/shorewall/start file: > > run_iptables -I OUTPUT 3 -p icmp -j ACCEPT >Or, more conventionally, by adding this rule: ACCEPT $FW net icmp -Tom ======================================== Done - We''ll see what happens... Thanks for the quick response! Also - apparently I added to the "New Actions" thread and it got lost.... To add my 2 cents....The comment on the same line of a blacklist entry would be nice...i.e the IP address and what they did (or why I put it there)... example - something like: 123.45.67.89 ; This joker keeps trying the old senmail exploit 23-Nov-2003 Versus... # This next joker keeps trying the old sendmail exploit 23-Nov-2003 123.45.67.89 I know it''s a nit....and certainly no showstopper. - Bill
On Tue, 2003-12-02 at 13:57, Bill.Light@kp.org wrote:> > example - something like: > > 123.45.67.89 ; This joker keeps trying the old senmail exploit > 23-Nov-2003 > > Versus... > > # This next joker keeps trying the old sendmail exploit 23-Nov-2003 > 123.45.67.89 > > I know it''s a nit....and certainly no showstopper.So what''s stopping you? All Shorewall files allow comments beginning with "#" anywhere on the line. 124.44.67.89 #This joker keeps ... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net