[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: strange masq packets



Try pinging that IP, and then doing "arp -a". Compare the MAC address to 
the other machines on your network.

If the arp table doesn't contain your IP, then this looks like a 
masquareded source IP. If the arp table does have the IP, but the MAC 
address is none of your machines, you can be pretty sure that something 
malicious is going on.

Either way, see if you can get that communication to take place, and 
start disconnecting machines from the HUB.

            Shachar


Cedar Cox wrote:

>Well, I guess they're probably not that "strange". 
>
>Unusual System Events
>=-=-=-=-=-=-=-=-=-=-=
>Nov 17 22:36:53 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3796 F=0x0000 T=255 (#2)
>Nov 17 22:36:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3844 F=0x0000 T=255 (#2)
>Nov 17 22:37:10 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3983 F=0x0000 T=255 (#2)
>Nov 17 22:37:32 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4063 F=0x0000 T=255 (#2)
>Nov 17 22:38:18 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4071 F=0x0000 T=255 (#2)
>Nov 17 22:40:38 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4317 F=0x0000 T=255 (#2)
>Nov 17 22:40:49 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4449 F=0x0000 T=255 (#2)
>Nov 17 22:41:12 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4477 F=0x0000 T=255 (#2)
>Nov 17 22:41:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4495 F=0x0000 T=255 (#2)
>
>Correct me if I'm wrong but it just looks like a internal (masq'ed) host
>tried to contact the 172.26 network.  We do not use this network so it was
>sent to the default route but blocked on the way out (..just a safety so
>no private traffic gets sent out the ppp0 interface).
>
>Anyway, my question is how do I log which internal machine sent these
>packets (2.2 kernel)?  I have a machine that's under "quarantine" but
>still on the network.  I'd just like to know if it's that one doing
>"suspicious things"...
>
>Thanks,
>-Cedar
>
>
>=================================================================
>To unsubscribe, send mail to linux-il-request@linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request@linux.org.il
>
>
>




=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il