* Continuous attempt to connect to UDP port 2002
@ 2002-09-16 16:33 Omar Castaneda Acosta
2002-09-16 16:46 ` Sergi Coll
2002-09-16 19:15 ` Antony Stone
0 siblings, 2 replies; 6+ messages in thread
From: Omar Castaneda Acosta @ 2002-09-16 16:33 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 4599 bytes --]
Has anyone experienced this?
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=148.247.40.15 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=212.141.239.10 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=36 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=63.194.219.124 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=218.146.253.49 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=64.159.81.215 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=216.128.192.242 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=139.78.236.199 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=63.103.133.100 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=158.143.192.154 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=140.226.101.202 DST=148.223.7.178 LEN=88 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=68
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=210.143.108.231 DST=148.223.7.178 LEN=88 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=68
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=207.148.213.4 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=192.154.46.11 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=208.187.46.209 DST=148.223.7.178 LEN=88 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=68
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=64.132.126.58 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=61.100.192.25 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=200.210.231.209 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=202.4.160.59 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=166.104.125.83 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=203.131.79.34 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Sep 16 11:09:42 myhost kernel: Bad: IN=eth2 OUT= MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=216.229.183.80 DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=2002 DPT=2002 LEN=49
Omar Castañeda Acosta
Systems Administrator
iDEA S.A. de C.V.
mailto: omar@idea.com.mx
callto: voip.idea.com.mx (ext 109)
+52 (614) 414-2808 x 109
[-- Attachment #2: Type: text/html, Size: 13904 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Continuous attempt to connect to UDP port 2002
2002-09-16 16:33 Continuous attempt to connect to UDP port 2002 Omar Castaneda Acosta
@ 2002-09-16 16:46 ` Sergi Coll
2002-09-16 19:15 ` Antony Stone
1 sibling, 0 replies; 6+ messages in thread
From: Sergi Coll @ 2002-09-16 16:46 UTC (permalink / raw)
To: Omar Castaneda Acosta; +Cc: netfilter
Hola,
> Has anyone experienced this?
> Sep 16 11:09:42 myhost kernel: Bad: IN=eth2 OUT=
> MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=216.229.183.80
> DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
> SPT=2002 DPT=2002 LEN=49
I think is Apache/mod_ssl Worm. Yo can read report in
http://www.cert.org/advisories/CA-2002-27.html
--
sergi@sim00.net
http://www.sim00.net/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Continuous attempt to connect to UDP port 2002
2002-09-16 16:33 Continuous attempt to connect to UDP port 2002 Omar Castaneda Acosta
2002-09-16 16:46 ` Sergi Coll
@ 2002-09-16 19:15 ` Antony Stone
2002-09-16 19:33 ` Arif Mahmood
1 sibling, 1 reply; 6+ messages in thread
From: Antony Stone @ 2002-09-16 19:15 UTC (permalink / raw)
To: netfilter
On Monday 16 September 2002 5:33 pm, Omar Castaneda Acosta wrote:
> Has anyone experienced this?
>
> Sep 16 11:09:41 myhost kernel: Bad: IN=eth2 OUT=
> MAC=00:e0:81:10:85:85:00:60:5c:f3:eb:f7:08:00 SRC=148.247.40.15
> DST=148.223.7.178 LEN=69 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP
> SPT=2002 DPT=2002 LEN=49
I haven't experienced it myself, but it looks like it's either a Trojan Horse
called TransScout, or a worm called Slapper:
http://www.by-users.co.uk/faqs/security/whchport
http://www.securezone.it/trojan/th10.htm
http://www.simplelogic.org/oddports.html
http://www.glocksoft.com/trojan_list/TransScout.htm
http://www.sophos.co.uk/virusinfo/analyses/linuxslappera.html
http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
Looks like you're not the only one seeing it, either:
http://isc.incidents.org/port_details.html?port=2002
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Continuous attempt to connect to UDP port 2002
2002-09-16 19:15 ` Antony Stone
@ 2002-09-16 19:33 ` Arif Mahmood
2002-09-16 19:47 ` Michael Atighetchi
2002-09-16 21:23 ` Tom Eastep
0 siblings, 2 replies; 6+ messages in thread
From: Arif Mahmood @ 2002-09-16 19:33 UTC (permalink / raw)
To: netfilter
Hi,
Is any one have used the "Shorewall" the link is
http://www.shorewall.net/.
I'm thinking to use that but before I wet my feet I want to know your
suggestions on this.
Thanks and Best Regards,
Arif
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Continuous attempt to connect to UDP port 2002
2002-09-16 19:33 ` Arif Mahmood
@ 2002-09-16 19:47 ` Michael Atighetchi
2002-09-16 21:23 ` Tom Eastep
1 sibling, 0 replies; 6+ messages in thread
From: Michael Atighetchi @ 2002-09-16 19:47 UTC (permalink / raw)
To: Arif Mahmood; +Cc: netfilter
Check out the CERT Advisory CA-2002-27 also.
Michael
On Mon, Sep 16, 2002 at 03:33:25PM -0400, Arif Mahmood wrote:
> Hi,
>
> Is any one have used the "Shorewall" the link is
> http://www.shorewall.net/.
> I'm thinking to use that but before I wet my feet I want to know your
> suggestions on this.
>
> Thanks and Best Regards,
>
> Arif
>
>
--
matighet@bbn.com BBN Technologies
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Continuous attempt to connect to UDP port 2002
2002-09-16 19:33 ` Arif Mahmood
2002-09-16 19:47 ` Michael Atighetchi
@ 2002-09-16 21:23 ` Tom Eastep
1 sibling, 0 replies; 6+ messages in thread
From: Tom Eastep @ 2002-09-16 21:23 UTC (permalink / raw)
To: arif786; +Cc: netfilter
Arif Mahmood wrote:
> Hi,
>
> Is any one have used the "Shorewall" the link is
> http://www.shorewall.net/.
> I'm thinking to use that but before I wet my feet I want to know your
> suggestions on this.
>
Don't know how much feedback you'll get here since I doubt that too many
folks that use Shorewall also subscribe to the NetFilter list. People that
use a product like Shorewall do so in order to avoid dealing directly with
Netfilter/iptables.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-09-16 21:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-16 16:33 Continuous attempt to connect to UDP port 2002 Omar Castaneda Acosta
2002-09-16 16:46 ` Sergi Coll
2002-09-16 19:15 ` Antony Stone
2002-09-16 19:33 ` Arif Mahmood
2002-09-16 19:47 ` Michael Atighetchi
2002-09-16 21:23 ` Tom Eastep
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.