UPDATE: more SSH hacking

Dave Rinker drinker at dsrtech.com
Tue Aug 10 12:24:21 UTC 2004



I don't see it, I see two inbound packets 
to your eth1 inbound.

SRC IP: 221.15.178.84  
DST IP: 63.69.210.36 
PROTO: TCP
SPT: 4262
DPT: 1025
SYN PACKET

I would look here for more details on TCP port 1025:
http://www.incidents.org/port_details.php?port=1025




On Tue, 2004-08-10 at 04:54, Brian Fahrlander wrote:
>     I was just noticing, while trying to reload a machine with FC1 (long
> story- don't ask) I was watching the log and noticed something I noticed
> earlier:
> 
> Aug 10 03:45:24 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=18935 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
> Aug 10 03:45:30 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=20211 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
> 
> <slight delay here and then:>
> Aug 10 03:45:45 evv kernel: martian destination 0.0.0.0 from 65.218.63.155, dev eth1
> 
> 
>     I'm no firewall-guru, but this having happened more than once, I get
> the feeling our new SSH-hacking friend might be trying to get around the
> firewall.
> 
>     Does anyone else concur?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040810/1742268f/attachment-0001.sig>


More information about the fedora-list mailing list