Subject: Re: Anyone Else Getting Hits Like This ?
From: Craig Callender (craigc@corith.com)
Date: Thu Feb 28 2002 - 15:11:00 AKST
68 and 67 is DHCP
Craig
On Thu, 28 Feb 2002, Robert Swift wrote:
Date: Thu, 28 Feb 2002 15:05:58 -0900
From: Robert Swift <bswift@customcpu.com>
To: Fielder George Dowding <fgdowding@iceworm-enterprises.net>
Cc: aklug@aklug.org
Subject: Re: Anyone Else Getting Hits Like This ?
George,
Appears to be a broadcast packet from your machine - eth1 and can be
confirmed by ID'ing the MAC address of your eth1 NIC. The SouRCe=0.0.0.0 is
your network broadcast. The DeSTination=255.255.255.255 is everyone on your
network. The LENgth=328 bytes and the PROTOcol=udp..... It's been awhile
since I sniffed packets but I'm guessing you have a service running on your
machine that periodically broadcasts on your network...... ie; Samba perhaps
...... but you said the DSL is off so it definitely comes from your
machine....... I may be off here but I think the SPT and DPT are the source
and destination ports so what service do you have running that uses those
ports?
Bob
----- Original Message -----
From: "Fielder George Dowding" <fgdowding@iceworm-enterprises.net>
To: <aklug@aklug.org>
Sent: Wednesday, February 27, 2002 9:47 PM
Subject: Re: Anyone Else Getting Hits Like This ?
>
> Can anyone tell me what this is from or doing? It happens whether or
> not I have dsl up. The "\" indicate a line break that was not in the
> syslog file.
>
> fgd
>
> Feb 27 21:43:26 seth kernel: IN=eth1 \
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:60:38:60:41:b8:08:00 \
> SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 \
> PREC=0x00 TTL=128 ID=40188 PROTO=UDP SPT=68 DPT=67 LEN=308
>
> On Wed, 27 Feb 2002 15:50:30 +0800
> "Jason C. Neumann" <lister@geekvenue.net> wrote:
>
> >
> > My site's logging quite a few. I believe it's our good 'ol friend
> > nimda or similar.
> >
> > -Jason
> >
> > > 209.34.27.7 - - [27/Feb/2002:08:31:47 -0900] "GET
> > > /scripts/root.exe?/c+dir HTTP/1.0" 404 278
> > > 209.34.27.7 - - [27/Feb/2002:08:31:48 -0900] "GET
> > > /MSADC/root.exe?/c+dir HTTP/1.0" 404 276
> > > 209.34.27.7 - - [27/Feb/2002:08:31:50 -0900] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
> > > 209.34.27.7 - - [27/Feb/2002:08:31:51 -0900] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> >
> >
> >
>
>
>
In the beginning there was data. The data was without form and
null, and darkness was upon the face of the console; and the Spirit of
IBM was moving over the face of the market. And DEC said, "Let there
be registers"; and there were registers. And DEC saw that they
carried; and DEC separated the data from the instructions. DEC called
the data Stack, and the instructions they called Code. And there was
evening and there was morning, one interrupt.
-- Rico Tudor, "The Story of Creation or, The Myth of Urk"
This archive was generated by hypermail 2a23 : Thu Feb 28 2002 - 15:11:09 AKST