Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
mthaddon
 Post subject: SYN attack?
PostPosted: Fri Aug 25, 2006 12:09 pm 
Offline
Junior Member

Joined: Mon Nov 01, 2004 4:36 pm
Posts: 21
Hi Folks,

Just checking the /var/log/messages and I see the following (excerpt):

Code:
Aug 25 10:45:05 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:02:fc:64:d8:af:08:00 SRC=70.73.58.120 DST=70.85.129.55 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=30039 DF PROTO=TCP SPT=3289 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 25 10:51:49 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:02:fc:64:d8:af:08:00 SRC=151.57.22.226 DST=70.85.129.55 LEN=404 TOS=0x00 PREC=0x00 TTL=52 ID=33002 PROTO=UDP SPT=31186 DPT=1026 LEN=384
Aug 25 11:08:02 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:d0:ba:1f:b5:cf:08:00 SRC=108.196.65.140 DST=70.85.129.55
LEN=404 TOS=0x00 PREC=0x00 TTL=57 ID=8496 PROTO=UDP SPT=31186 DPT=1026 LEN=384
Aug 25 11:09:58 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:d0:ba:1f:b5:cf:08:00 SRC=66.199.245.201 DST=70.85.129.55
LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=53457 DF PROTO=TCP SPT=1770 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:10:01 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:d0:ba:1f:b5:cf:08:00 SRC=66.199.245.201 DST=70.85.129.55
LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=55647 DF PROTO=TCP SPT=1770 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Aug 25 11:32:46 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:02:fc:64:d8:af:08:00 SRC=70.68.73.144 DST=70.85.129.55 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=22207 DF PROTO=TCP SPT=2900 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Aug 25 11:51:05 localhost kernel: IN-internet:IN=eth0 OUT= MAC=fe:fd:46:55:81:37:00:d0:ba:1f:b5:cf:08:00 SRC=81.176.69.92 DST=70.85.129.55 LEN=40 TOS=0x00 PREC=0x00 TTL=97 ID=256 DF PROTO=TCP SPT=80 DPT=1222 WINDOW=16384 RES=0x00 ACK SYN URGP=0


Can anyone advise what's going on here? Doesn't look that high traffic (the requests seem quite spaced out, and not all from the same host), but I wasn't sure if it's something I should be worried about.

Thanks, Tom
Top
   
Reply with quote  
mthaddon
 Post subject:
PostPosted: Fri Aug 25, 2006 12:47 pm 
Offline
Junior Member

Joined: Mon Nov 01, 2004 4:36 pm
Posts: 21
Replying to my own posting here...

Seems like it's definitely a bunch of suspect hacking attempts. The DPT is the destination port, and from looking at them they seem to be things like MS DTC... I tried doing a telnet to my server on that port and got the same error messages in /var/log/messages.

I'm using firehol as my firewall (well, actually as a firewall builder). Will do some investigation on logs for that and see what I can see...
Top
   
Reply with quote  
gene203
PostPosted: Sat Sep 02, 2006 2:08 am 
Offline
Senior Newbie

Joined: Mon Nov 28, 2005 1:44 pm
Posts: 13
Location: Cupertino, CA
locate email by whois <source ip>, then send an email to them with the evidence in logs. ask to block the packets and to notify you what actions they take.
Top
   
Reply with quote  
ccutler
 Post subject:
PostPosted: Sat Sep 02, 2006 12:28 pm 
Offline

Joined: Sat Sep 02, 2006 12:25 pm
Posts: 1
I also use firehol and see this in my logs... Any info at all on what this is and how to fix it would be great.

Thanks
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group