More firewall weirdness -- apparent spoof attempt
Wolfgang S. Rupprecht
wolfgang+gnus-baylisa at dailyplanet.dontspam.wsrcc.com
Wed Jan 28 08:27:04 PST 2004
david at catwhisker.org (David Wolfskill) writes:
> Jan 27 08:46:20 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1026 in via dc0
>
> Now, the IP address of the packet filter's Internet-facing NIC is
> 62.193.123.122, and the NIC's designation is dc0. Rule 60000 is
> my catch-all "log & drop" rule. So the good news is that these
> things were dropped (& logged) anyway.
Looks like some hack using a UDP packet with a forged source address
of your interface. I see similar nonsense in my logs, minus the
forged source address.
Jan 28 05:17:36 capsicum ipmon[287]: 05:17:35.980390 tlp0 @100:2 b
dialup-64.156.39.12.Dial1.Denver1.Level3.net[64.156.39.12],666 ->
sonic.wsrcc.com[208.201.233.172],1026 PR udp len 20 574 IN
Someone is probing local ports 135/udp and immediately after that
1026/udp and 1027/udp. The probes always come from 666/udp.
I wonder if they were trying to hit the nfs/rpc daemons and just
missed because they move around a bit. Or is this another MS port
that leads to a buggy daemon and we should get our candles and
flashlights ready because there is going to be another major power
failure somewhere?
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
The above "From:" address is valid. Don't mess with it.
Gripe to your senators about spam: http://www.wsrcc.com/spam/senators.html
More information about the Baylisa
mailing list