Unsure of log report entry

[Brian Densmore]

Like I was saying it's hard to say if he's been hacked,
from this one message. Obviously he has been hit with 
scan, either automated or manually, to determine if 
there is a weakness in his system or not. I suspect a deeper 
look in the log files might dig up more information. It
could just have been a harmless scan that someone dig to see
what happens when you scan someone. Or it could be more sinister.


> -----Original Message-----
> From: Dustin Decker
> 
> 
> > -----Original Message-----
> > From: kclug-bounces at kclug.org 
> > 
> > I've got a box running RH9.0 and in the Logwatch report 
> last night, I
> > got the following entry;
> > 
> > --------------------- Kernel Begin ------------------------
> > 
> > 
> > 8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
> > 
> >   ---------------------- Kernel End -------------------------
> > 
> > Unfortunately, the is NOT my IP address!!! Is this telling me what I
> > think it is, The box has been compromised????
> 
> What it indicates is that 65.70.45.21 tried eight times to make use of
> source routing.  The short answer on source routing is that 
> it's a feature
> of TCP/IP whereby you can direct the path a packet will 
> follow.  This could
> allow an attacker to cause traffic to pass through a host 
> they have control
> of, to view its contents, etc.  You can read up on this more in TCP/IP
> Illustrated, Volume I by the late W. Richard Stevens - aka 
> The TCP/IP Bible.
> 
> Here's an interesting bit - do a whois on the host in question:
> 65.70.45.21
> 
> This turns out to be an SBC customer, most likely DSL.  This 
> is registered
> to a client named Gould Family Practice.  I see from your 
> signature below
> you're in medicine - is this where you work, or a competitor?
> 
> The good news is, the source routing attempt failed.  This 
> doesn't indicate
> you have been hacked, but this type of traffic certainly isn't normal.
> Someone is rattling the fence.
> Dustin