Topic: Messages

[Alejandro]

I have found a lot (too many) of messages like this in my log files:

Aug 29 01:31:08 server kernel: IN=eth1 OUT= MAC=00:c0:df:ed:86:74:00:05:dd:78:84:06:08:00 SRC=221.124.18.147 DST=200.81.31.210 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=26188 DF PROTO=TCP SPT=4080 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

I upgraded my server yesterday from 5.6(u4) to 6.0b3 and the  messages now are allmost the same but with a "denylog" after the "kernel" word  so they are being blocked now, but what about before?
any help ?
Thanks in advance
Alejandro.

[Bill Pflaumer]

Welcome to the Blaster and or Welchia Worm. The DPT (Destination Port 135) is a signature of this worm. Goto http://www.symantec and read all about it. If you are running SME in Gateway mode which it looks like you are, your Windows 2000/XP PC's are safe.

Bill

[Alejandro]

Thanks a lot Bill
Should I be concerned in any way.. about the missing "denylog" in messages of my previous version?
btw: Yes I'm running a gateway with mynetwatch installed to report events online, and besides my server's band and time waste on processing the events, it seems to be working normally.

[Jay]

Seeing all of these entries in MESSAGES bothered me, my file was getting HUGE. I decided that with that many entries in there I would stop the logging and forwarded port 135 to an IP that isn't assigned. This has cut out all of the entries for port 135 and I can now view MESSAGES to see what is happening rather than being overrun by redundant entries.
I used the portforward contrib to do this, how could I change the iptables entries to drop the port 135 traffic without logging?

[Ian Wells]

I think that this is possible, you need to modify the denylog rule.

Looking at /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog

You should find the 2 lines below which silently drop ports 137 to 139.

    /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
    /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP

Changing the 137 to 135 should produce the results that you want (it has worked for me). My understanding is that the only change is that ports 135 & 136 will no longer be logged, i.e. they will be silently dropped.

    /sbin/iptables --replace denylog 2 -p udp --dport 135:139 --jump DROP
    /sbin/iptables --replace denylog 3 -p tcp --dport 135:139 --jump DROP

After editing this file you need to expand the template and restart masq

#  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
#  /sbin/service masq restart
# /sbin/service masq status

The last line shows the current status and you should be able to see the new denylog rule.

Editing this template is not the correct way to do this, as it will be lost on the next upgrade to a new SME version.