Date: Fri, 29 Jun 2001 11:16:52 -0500 From: George.Giles@mcmail.vanderbilt.edu To: Peter Pentchev <roam@orbitel.bg> Cc: freebsd-security@freebsd.org Subject: Re: What is ipfw telling me ? Message-ID: <OF643DAAFD.B532A7E3-ON86256A7A.00591863@MC.VANDERBILT.EDU>
next in thread | raw e-mail | index | archive | help
I do not agree. Here's why:
the ipfw is on 10.0.0.2 and does not have a web server.
10.0.0.1 does.
I see a lot of these style attacks, various ports, various services used on
10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2
and the signature of the log is:
attacker:port 10.0.0.1:port
It makes me think that somehow a proxy attack is going on.
The 10.x.x.x are not the actual addresses obviously.
George
Peter
Pentchev To: George.Giles@mcmail.vanderbilt.edu
<roam@orbitel cc: freebsd-security@freebsd.org
.bg> Subject: Re: What is ipfw telling me ?
06/29/2001
10:04 AM
On Fri, Jun 29, 2001 at 09:49:54AM -0500,
George.Giles@mcmail.vanderbilt.edu wrote:
> What is ipfw telling me ?
>
> The 216 host is attempting to break in, but how is it using port 80 on
the
> other machine ?
>
> ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0
The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection
attempt is from port 21602 (ephemeral, unique to this connection in
a certain timeframe) to port 80 on 10.0.0.1. That is, someone from
216.239.46.20 is trying to browse the web on 10.0.0.1.
G'luck,
Peter
--
This sentence claims to be an Epimenides paradox, but it is lying.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF643DAAFD.B532A7E3-ON86256A7A.00591863>