[Dshield] RE: Log ID and Template question...
Johannes B. Ullrich
jullrich at euclidian.com
Mon Jul 23 23:15:15 GMT 2001
Actually, these look like replies from an IRC server. The IPs resolve to
DALNet IRC server. There are two likely explenations for this:
- A user of your network trying to connect to DALNet (assuming that this
log comes from a firewall/gateway).
- Someone DOS'ing DALNet and using your IP to do it...
(very comon these days. Usually EfNet is the target of choice. But maybe
this got boring by now).
On Mon, 23 Jul 2001, Ryan J Betz wrote:
> It looks like people are trying to connect to your machine thinking it's an
> IRC server. I suppose if you have a dynamic IP address, and the previous
> owner was running an IRC server on his machine at the time, you could be
> getting leftovers. Another possiblity is someone has compromised your
> machine and installed an IRC daemon and told all thier friends, but I think
> this is less likely, and hope for your sake this isn't the case. Best bet
> to make sure that didn't happen is to use nmap and scan yourself to see if
> anything is open that's not supposed to be. Hope this helps!
> Does anyone recognize what these ip's are trying to do w/ my server?
> Jul 22 09:04:44 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 188.8.131.52:6667 184.108.40.206:62539 L=40 S=0x00 I=19378 F=0x4000 T=54
> Jul 22 09:27:35 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 220.127.116.11:6667 18.104.22.168:62711 L=40 S=0x00 I=19059 F=0x4000 T=37
> Jul 22 09:12:33 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 22.214.171.124:6667 126.96.36.199:62623 L=40 S=0x00 I=22974 F=0x4000 T=43
> Jul 22 09:21:51 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 188.8.131.52:6667 184.108.40.206:62640 L=44 S=0x00 I=65459 F=0x4000 T=43
> Jul 22 09:03:13 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 220.127.116.11:6667 18.104.22.168:62537 L=40 S=0x00 I=20764 F=0x4000 T=48
> Jul 22 09:37:25 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
> 22.214.171.124:6667 126.96.36.199:62726 L=48 S=0x00 I=0 F=0x4000 T=45
> I'm not involved w/IRC clients or servers so don't know what's causing this
> I'm getting fed up w/ the dozen or so IP's that continue this barrage....
> Does anyone know of any abuse templates I could tweak to forward
> to the RP's involved?
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list