Strange log entry ...

All of lore.kernel.org
 help / color / mirror / Atom feed

* Strange log entry ...
@ 2002-07-08 14:07 Raymond Leach
  2002-07-08 14:07 ` Ed Street
  0 siblings, 1 reply; 6+ messages in thread
From: Raymond Leach @ 2002-07-08 14:07 UTC (permalink / raw)
  To: netfilter

Hi

Can anyone tell me what this is?

Jul  8 16:04:23 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
ID=18763 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
Jul  8 16:04:26 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
ID=18764 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0

I do not allow incoming echo requests to this machine. How the echo
reply is generated beats me ...

Ray




^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Strange log entry ...
  2002-07-08 14:07 Strange log entry Raymond Leach
@ 2002-07-08 14:07 ` Ed Street
  2002-07-08 14:29   ` Raymond Leach
  0 siblings, 1 reply; 6+ messages in thread
From: Ed Street @ 2002-07-08 14:07 UTC (permalink / raw)
  To: 'Raymond Leach', netfilter

Hello,


Looks like station 10.0.0.19 on eth2 tried to ping 199.181.167.201 and
it was droped.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Raymond Leach
Sent: Monday, July 08, 2002 10:07 AM
To: netfilter@lists.samba.org
Subject: Strange log entry ...

Hi

Can anyone tell me what this is?

Jul  8 16:04:23 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
ID=18763 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
Jul  8 16:04:26 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
ID=18764 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0

I do not allow incoming echo requests to this machine. How the echo
reply is generated beats me ...

Ray





^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Strange log entry ...
  2002-07-08 14:07 ` Ed Street
@ 2002-07-08 14:29   ` Raymond Leach
  2002-07-08 14:36     ` Ramin Alidousti
  2002-07-08 14:39     ` Ed Street
  0 siblings, 2 replies; 6+ messages in thread
From: Raymond Leach @ 2002-07-08 14:29 UTC (permalink / raw)
  To: blacknet; +Cc: netfilter

On Mon, 2002-07-08 at 16:07, Ed Street wrote:
> Hello,
> 
> 
> Looks like station 10.0.0.19 on eth2 tried to ping 199.181.167.201 and
> it was droped.
> 
I've checked the process list on 10.0.0.19 and also restarted it just to
make sure, and there is nothing that is trying to ping anywhere.

Isn't ICMP CODE 0 TYPE 0 a reply? Doesn't this log entry represent
10.0.0.19's reply to an echo request?

Ray
> Ed
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Raymond Leach
> Sent: Monday, July 08, 2002 10:07 AM
> To: netfilter@lists.samba.org
> Subject: Strange log entry ...
> 
> Hi
> 
> Can anyone tell me what this is?
> 
> Jul  8 16:04:23 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
> SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> ID=18763 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> Jul  8 16:04:26 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
> SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> ID=18764 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> 
> I do not allow incoming echo requests to this machine. How the echo
> reply is generated beats me ...
> 
> Ray
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Strange log entry ...
  2002-07-08 14:29   ` Raymond Leach
@ 2002-07-08 14:36     ` Ramin Alidousti
  2002-07-08 17:15       ` Ramin Alidousti
  2002-07-08 14:39     ` Ed Street
  1 sibling, 1 reply; 6+ messages in thread
From: Ramin Alidousti @ 2002-07-08 14:36 UTC (permalink / raw)
  To: Raymond Leach; +Cc: blacknet, netfilter

On Mon, Jul 08, 2002 at 04:29:51PM +0200, Raymond Leach wrote:

> On Mon, 2002-07-08 at 16:07, Ed Street wrote:
> > Hello,
> > 
> > 
> > Looks like station 10.0.0.19 on eth2 tried to ping 199.181.167.201 and
> > it was droped.
> > 
> I've checked the process list on 10.0.0.19 and also restarted it just to
> make sure, and there is nothing that is trying to ping anywhere.
> 
> Isn't ICMP CODE 0 TYPE 0 a reply? Doesn't this log entry represent
> 10.0.0.19's reply to an echo request?

Don't you have any backdoor?? If not, then 10.0.0.19 might be replying
to a spoofed ping from the inside...

Ramin

> 
> Ray
> > Ed
> > 
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Raymond Leach
> > Sent: Monday, July 08, 2002 10:07 AM
> > To: netfilter@lists.samba.org
> > Subject: Strange log entry ...
> > 
> > Hi
> > 
> > Can anyone tell me what this is?
> > 
> > Jul  8 16:04:23 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
> > SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> > ID=18763 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> > Jul  8 16:04:26 firefly kernel: DROP FORWARD INTERNAL: IN=eth2 OUT=eth0
> > SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> > ID=18764 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> > 
> > I do not allow incoming echo requests to this machine. How the echo
> > reply is generated beats me ...
> > 
> > Ray
> > 
> > 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Strange log entry ...
  2002-07-08 14:29   ` Raymond Leach
  2002-07-08 14:36     ` Ramin Alidousti
@ 2002-07-08 14:39     ` Ed Street
  1 sibling, 0 replies; 6+ messages in thread
From: Ed Street @ 2002-07-08 14:39 UTC (permalink / raw)
  To: 'Raymond Leach'; +Cc: netfilter

Hello,

Yes it is a reply.  See http://www.iana.org/assignments/icmp-parameters

Ed


-----Original Message-----
From: Raymond Leach [mailto:raymondl@knowledgefactory.co.za] 
Sent: Monday, July 08, 2002 10:30 AM
To: blacknet@simplyaquatics.com
Cc: netfilter@lists.samba.org
Subject: RE: Strange log entry ...

On Mon, 2002-07-08 at 16:07, Ed Street wrote:
> Hello,
> 
> 
> Looks like station 10.0.0.19 on eth2 tried to ping 199.181.167.201 and
> it was droped.
> 
I've checked the process list on 10.0.0.19 and also restarted it just to
make sure, and there is nothing that is trying to ping anywhere.

Isn't ICMP CODE 0 TYPE 0 a reply? Doesn't this log entry represent
10.0.0.19's reply to an echo request?

Ray
> Ed
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Raymond Leach
> Sent: Monday, July 08, 2002 10:07 AM
> To: netfilter@lists.samba.org
> Subject: Strange log entry ...
> 
> Hi
> 
> Can anyone tell me what this is?
> 
> Jul  8 16:04:23 firefly kernel: DROP FORWARD INTERNAL: IN=eth2
OUT=eth0
> SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> ID=18763 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> Jul  8 16:04:26 firefly kernel: DROP FORWARD INTERNAL: IN=eth2
OUT=eth0
> SRC=10.0.0.19 DST=199.181.167.201 LEN=1044 TOS=0x00 PREC=0x00 TTL=254
> ID=18764 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
> 
> I do not allow incoming echo requests to this machine. How the echo
> reply is generated beats me ...
> 
> Ray
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Strange log entry ...
  2002-07-08 14:36     ` Ramin Alidousti
@ 2002-07-08 17:15       ` Ramin Alidousti
  0 siblings, 0 replies; 6+ messages in thread
From: Ramin Alidousti @ 2002-07-08 17:15 UTC (permalink / raw)
  To: netfilter; +Cc: Raymond Leach, blacknet

On Mon, Jul 08, 2002 at 10:36:56AM -0400, Ramin Alidousti wrote:

> On Mon, Jul 08, 2002 at 04:29:51PM +0200, Raymond Leach wrote:
> 
> > On Mon, 2002-07-08 at 16:07, Ed Street wrote:
> > > Hello,
> > > 
> > > 
> > > Looks like station 10.0.0.19 on eth2 tried to ping 199.181.167.201 and
> > > it was droped.
> > > 
> > I've checked the process list on 10.0.0.19 and also restarted it just to
> > make sure, and there is nothing that is trying to ping anywhere.
> > 
> > Isn't ICMP CODE 0 TYPE 0 a reply? Doesn't this log entry represent
> > 10.0.0.19's reply to an echo request?
> 
> Don't you have any backdoor?? If not, then 10.0.0.19 might be replying
> to a spoofed ping from the inside...

Second thought. It probably isn't due to a backdoor as this backdoor
would need to do the same natting that you're doing on your firewall.
So it'd narrow down to the spoofed ping from the inside.

Ramin


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2002-07-08 17:15 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-07-08 14:07 Strange log entry Raymond Leach
2002-07-08 14:07 ` Ed Street
2002-07-08 14:29   ` Raymond Leach
2002-07-08 14:36     ` Ramin Alidousti
2002-07-08 17:15       ` Ramin Alidousti
2002-07-08 14:39     ` Ed Street

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.