Strange entries in /var/log/messages

Greg Zartman

Strange entries in /var/log/messages

« on: August 19, 2003, 02:31:05 AM »

Does, anyone have any idea why I might be seeing this in my messages log file? It almost looks like someone is trying to connect with my machine or something.

Greg

Aug 18 17:31:01 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:01 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:01 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:04 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:04 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:04 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:10 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:10 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:10 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.147.186 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:31:11 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=80.37.193.35 DST=63.224.194.224 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:31:11 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=80.37.193.35 DST=63.224.194.225 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:31:11 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=80.37.193.35 DST=63.224.194.231 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:32:04 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=203.192.11.30 DST=63.224.194.231 LEN=404 TOS=0x00 PREC$
Aug 18 17:32:57 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:32:57 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:32:57 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:32:58 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.224 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:32:58 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.225 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:32:59 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.231 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:32:59 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:32:59 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:32:59 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:01 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.224 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:01 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.225 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:02 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.231 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:05 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:05 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:05 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.232.189 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:07 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.224 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:07 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.225 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:08 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.227.176.7 DST=63.224.194.231 LEN=48 TOS=0x00 PREC=0$
Aug 18 17:33:19 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:19 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:20 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:22 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:22 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:22 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:28 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.224 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:28 testbed kernel: denylog:IN=eth1 OUT= MAC=00:03:47:40:4e:18:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.225 LEN=48 TOS=0x00 PREC$
Aug 18 17:33:28 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=63.225.172.120 DST=63.224.194.231 LEN=48 TOS=0x00 PREC$
Aug 18 17:34:26 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=66.220.17.47 DST=63.224.194.231 LEN=44 TOS=0x00 PREC=0$
Aug 18 17:34:29 testbed kernel: denylog:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9a:87:17:21:08:00 SRC=66.220.17.47 DST=63.224.194.231 LEN=44 TOS=0x00 PREC=0$

Logged

Brendan

Re: Strange entries in /var/log/messages

« Reply #1 on: August 19, 2003, 10:09:29 AM »

might wanna give snort + acid (you can get the howto from contribs.org) and see what it comes up (its a addon to your firewall to tell you whats its blocking)

Logged

brian kirk

Re: Strange entries in /var/log/messages

« Reply #2 on: August 19, 2003, 10:33:33 AM »

Hi Greg - I think this is your firewall logging failed attempts to connect to your server. You can look them up with whois see http://network-tools.com/
One of yours returned
IP address: 63.225.172.120
Host name: ttdslppp120.sttl.uswest.net
It happens all the time and just shows your firewall is doing what it is supposed to and stopping unauthorised connections. You can turn off this logging if you want.
Regards
Brian

Logged

Greg Zartman

Re: Strange entries in /var/log/messages

« Reply #3 on: August 19, 2003, 08:15:16 PM »

Thanks for the replies guys.

After thinking on it a bit, I think these entires represent attempts by the msblast virus to connect to PCs. Notice the multiple IP addresses of both the destination and source. The attempts are coming from multiple sources and firing almost randomly at IP addresses.

My DSL connection here in my office is on Qwest.net (which used to be uswest.net). I bet people on qwest are infected and the msblast virus is using the subnet that they are on a starting point for ip addresses to attack.

Greg

Logged

Charlie Brady

Re: Strange entries in /var/log/messages

« Reply #4 on: August 19, 2003, 10:41:41 PM »

Greg Zartman wrote:

> I think these entires represent
> attempts by the msblast virus to connect to PCs.

You'd need a part of the log line which has been truncated in your c&p to confirm that. Look for DPT=135 (IIRC).

Charlie

Logged