Unsure of log report entry
Brian Densmore
DensmoreB at ctbsonline.com
Tue Oct 12 11:02:12 CDT 2004
Like I was saying it's hard to say if he's been hacked,
from this one message. Obviously he has been hit with
scan, either automated or manually, to determine if
there is a weakness in his system or not. I suspect a deeper
look in the log files might dig up more information. It
could just have been a harmless scan that someone dig to see
what happens when you scan someone. Or it could be more sinister.
> -----Original Message-----
> From: Dustin Decker
>
>
> > -----Original Message-----
> > From: kclug-bounces at kclug.org
> >
> > I've got a box running RH9.0 and in the Logwatch report
> last night, I
> > got the following entry;
> >
> > --------------------- Kernel Begin ------------------------
> >
> >
> > 8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
> >
> > ---------------------- Kernel End -------------------------
> >
> > Unfortunately, the is NOT my IP address!!! Is this telling me what I
> > think it is, The box has been compromised????
>
> What it indicates is that 65.70.45.21 tried eight times to make use of
> source routing. The short answer on source routing is that
> it's a feature
> of TCP/IP whereby you can direct the path a packet will
> follow. This could
> allow an attacker to cause traffic to pass through a host
> they have control
> of, to view its contents, etc. You can read up on this more in TCP/IP
> Illustrated, Volume I by the late W. Richard Stevens - aka
> The TCP/IP Bible.
>
> Here's an interesting bit - do a whois on the host in question:
> 65.70.45.21
>
> This turns out to be an SBC customer, most likely DSL. This
> is registered
> to a client named Gould Family Practice. I see from your
> signature below
> you're in medicine - is this where you work, or a competitor?
>
> The good news is, the source routing attempt failed. This
> doesn't indicate
> you have been hacked, but this type of traffic certainly isn't normal.
> Someone is rattling the fence.
> Dustin
More information about the Kclug
mailing list