On Tue, 2004-08-10 at 04:54, Brian Fahrlander wrote: > I was just noticing, while trying to reload a machine with FC1 (long > story- don't ask) I was watching the log and noticed something I noticed > earlier: > > Aug 10 03:45:24 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=18935 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0 > Aug 10 03:45:30 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=20211 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0 > > <slight delay here and then:> > Aug 10 03:45:45 evv kernel: martian destination 0.0.0.0 from 65.218.63.155, dev eth1 > > > I'm no firewall-guru, but this having happened more than once, I get > the feeling our new SSH-hacking friend might be trying to get around the > firewall. > > Does anyone else concur? Double check your system and make sure port 1025 is closed or disabled. That appears to be the port they are trying to hit. What I find interesting is the MAC address info. It appears to be a IPV6 MAC address not a IPV4 (to many octets). If you don't need IPV6 you may want to disable that as well. A quick google on port 1025 had it listed in one place as network blackjack. Not sure how accurate that is. But most likely this just someone scanning various ports for something open or for a specific exploit on a service that uses port 1025. -- Scot L. Harris <webid@xxxxxxxxxx>
