Hi there... Just a thought: If you are getting many of those packtes, than it should be possible to catch one of it with tcpdump to find out senders MAC address. This will pearhaps allow to find you the source, if it's realy located on your internal network. Greets Sebastian. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Daniel Chemko Sent: Wednesday, July 16, 2003 10:22 PM To: Aldo S. Lagana; netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Snuffing out hackers I am on Shaw, but none of these addresses are used for anything to do with my network. I am doing some pretty anal filtering, but then again, I may be missing something pretty obvious. I have rp_filter at 2 and source routing disabled. PS: I am getting MANY of these packets. These packets are not getting through to their targets, but if someone is persistent enough to keep trying, I assume they must be able to do something malicious. -----Original Message----- From: Aldo S. Lagana [mailto:alagana@xxxxxxxxxxxx] Sent: Wednesday, July 16, 2003 12:32 PM To: Daniel Chemko; netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: Snuffing out hackers Both IP addresses are assigned to cable ISPs. Name: h24-87-243-251.vc.shawcable.net Address: 24.87.243.251 Name: d57-108-11.home.cgocable.net Address: 24.57.108.11 Not sure if either of them are your ISP? But I would contact both ISPs with your log data if you really cared. Are you running squid? A webserver? From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Daniel Chemko Sent: Wednesday, July 16, 2003 2:58 PM To: netfilter@xxxxxxxxxxxxxxxxxxx I am getting some disturbing packet traffic hitting my firewall. Here goes: IN=eth4 OUT=eth5 SRC=24.87.243.251 DST=24.57.108.11 LEN=76 TOS=0x00 PREC=0xC0 TTL=25 4 ID=17431 PROTO=ICMP TYPE=3 CODE=3 [SRC=24.57.108.11 DST=24.87.243.251 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=15860 DF PROTO=TCP SPT= 3161 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 ] None of the addresses listed in the packets are from my networks, but what is more disturbing is that eth4 is my internal network interface. Can anyone see (baring an internal intrusion has occurred) how this can happen? It definitely appears to be an exploit on my configuration or something.
