Koozali.org: home of the SME Server

This is in my log file....

Charlie

This is in my log file....
« on: October 31, 2003, 03:56:45 PM »
Do I have any concerns or this this code-red/nimda attempts?

Oct 30 23:10:30 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=203.197.199.185 DST=24.167.195.150 LEN=518 TOS=0x00 PREC=0x00 TTL=233 ID=6803 PROTO=UDP SPT=32798 DPT=1026 LEN=498
Oct 30 23:30:02 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=141.157.186.70 DST=24.167.195.150 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=38523 DF PROTO=TCP SPT=2287 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 30 23:32:47 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=217.225.217.122 DST=24.167.195.150 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=55626 DF PROTO=TCP SPT=3107 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 30 23:32:50 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=217.225.217.122 DST=24.167.195.150 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=55886 DF PROTO=TCP SPT=3107 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 30 23:44:59 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=64.146.3.65 DST=24.167.195.150 LEN=44 TOS=0x00 PREC=0x00 TTL=113 ID=51323 DF PROTO=TCP SPT=1734 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 30 23:45:02 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=64.146.3.65 DST=24.167.195.150 LEN=44 TOS=0x00 PREC=0x00 TTL=113 ID=16252 DF PROTO=TCP SPT=1734 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 30 23:45:08 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=64.146.3.65 DST=24.167.195.150 LEN=44 TOS=0x00 PREC=0x00 TTL=113 ID=7549 DF PROTO=TCP SPT=1734 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 30 23:49:40 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=61.143.182.138 DST=24.167.195.150 LEN=561 TOS=0x00 PREC=0x00 TTL=98 ID=0 DF PROTO=UDP SPT=30110 DPT=1026 LEN=541
Oct 30 23:52:13 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=80.14.88.116 DST=24.167.195.150 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=5979 DF PROTO=TCP SPT=1247 DPT=901 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 31 00:13:32 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=203.197.199.185 DST=24.167.195.150 LEN=518 TOS=0x00 PREC=0x00 TTL=233 ID=8851 PROTO=UDP SPT=32798 DPT=1026 LEN=498
Oct 31 00:37:02 max kernel: denylog:IN=eth1 OUT= MAC=00:4f:49:03:04:39:00:08:e2:32:44:a8:08:00 SRC=66.30.240.62 DST=24.167.195.150 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=33485 DF PROTO=TCP SPT=2199 DPT=17300 WINDOW=64240 RES=0x00 SYN URGP=0

Lloyd Keen

Re: This is in my log file....
« Reply #1 on: October 31, 2003, 04:30:08 PM »
It's nothing to worry about. It just means your firewall's doing a bangup job. If it concerns you, you can turn logging off with the following command:
/sbin/e-smith/db configuration setprop masq Logging none
/sbin/e-smith/signal-event remoteaccess-update

Nathan Fowler

Re: This is in my log file....
« Reply #2 on: October 31, 2003, 06:23:59 PM »
Looks like SQL Slapper or something like that, Dport 1433 is MS-SQLServer.

Dport 17300, I see alot of this traffic, I believe it's virus related (Kuang2TheVirus):
http://isc.incidents.org/port_details.html?port=17300

Basically, your firewall is working.

Charlie

Re: This is in my log file....
« Reply #3 on: October 31, 2003, 10:47:10 PM »
Lloyd Keen wrote:
>
> It's nothing to worry about. It just means your firewall's
> doing a bangup job. If it concerns you, you can turn logging
> off with the following command:
> /sbin/e-smith/db configuration setprop masq Logging none
> /sbin/e-smith/signal-event remoteaccess-update

It doesn't bother me in the least if it shows its working!  Thanks.