Brian Fahrlander wrote:
I was just noticing, while trying to reload a machine with FC1 (long story- don't ask) I was watching the log and noticed something I noticed earlier:
Aug 10 03:45:24 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=18935 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0 Aug 10 03:45:30 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=20211 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
<slight delay here and then:> Aug 10 03:45:45 evv kernel: martian destination 0.0.0.0 from 65.218.63.155, dev eth1
I'm no firewall-guru, but this having happened more than once, I get the feeling our new SSH-hacking friend might be trying to get around the firewall.
Does anyone else concur?
No, I think this is a separate event. The IP addesses don't match.
--
-John (john@xxxxxxxxxxx)
