[Dshield] RE: Log ID and Template question...

John Hardin johnh at aproposretail.com
Mon Jul 23 22:36:07 GMT 2001


Ryan J Betz wrote:
> 
> It looks like people are trying to connect to your machine thinking it's an
> IRC server.
> 
> Jul 22 09:04:44 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 129.250.240.197:6667  L=40 S=0x00 I=19378 F=0x4000 T=54
> Jul 22 09:27:35 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 194.47.161.38:6667 206.126.3.14:62711 L=40 S=0x00 I=19059 F=0x4000 T=37
> Jul 22 09:12:33 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 195.159.0.91:6667 206.126.3.14:62623 L=40 S=0x00 I=22974 F=0x4000 T=43
> Jul 22 09:21:51 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 207.96.122.252:6667 206.126.3.14:62640 L=44 S=0x00 I=65459 F=0x4000 T=43
> Jul 22 09:03:13 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 209.116.7.98:6667 206.126.3.14:62537 L=40 S=0x00 I=20764 F=0x4000 T=48
> Jul 22 09:37:25 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 65.161.40.142:6667 206.126.3.14:62726 L=48 S=0x00 I=0 F=0x4000 T=45

Are you sure? The SYN bit doesn't appear to be set, which I'd expect on
initial inbound TCP requests.

These all look to me like IRC *responses* - the outbound IRC traffic is
permitted but the server's response is being blocked. Someone could be
scanning you from the IRC port in an attempt to bypass your firewall,
but the many different source IP addresses argue against that.

I would check 206.126.3.14 for some kind of IRC client software -
including, most dangerously, a DDoS zombie, many of which register on
and are controlled via public IRC servers when active. 

You may also want to add a rule blocking outbound traffic destined to
6666:6668/tcp and see what it reports.

--
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192




More information about the list mailing list