Feb 15 09:16:39 localhost kernel: IN=eth0 OUT= MAC=00:03:47:f1:52:0d:00:18:01:b6:c1:4d:08:00 SRC=121.242.15.135 DST=192.168.x.x LEN=72 TOS=0x00 PREC=0x00 TTL=45 ID=32394 DF PROTO=TCP SPT=52764 DPT=22 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
What kind of fun is that!
 
 
 
20 comments:
Ok...it's been a while, but it looks like a Linux box in India is trying to hit your box using SSH...am I close?
Correct, that's part of it. But not the most interesting part.
Lol. I like the flag combo. ack psh fin urg. It's got a nice rhythm to it. Could almost be a Salt n Peppa song.
No urg flag. But otherwise correct.
Ok...it's been a while, but it looks like a Linux box in India is trying to hit your box using SSH...am I close?
Correct, that's part of it. But not the most interesting part.
Lol. I like the flag combo. ack psh fin urg. It's got a nice rhythm to it. Could almost be a Salt n Peppa song.
No urg flag. But otherwise correct.
Your SSH service (running in a box with an Intel card) received a TCP session-close packet (FIN) from the client, through your Actiontec DSL modem that, I guess, can serve as a gateway for certain services.
I'm right? ;-)
Close. You were right on the actiontec part.
Your SSH service (running in a box with an Intel card) received a TCP session-close packet (FIN) from the client, through your Actiontec DSL modem that, I guess, can serve as a gateway for certain services.
I'm right? ;-)
Close. You were right on the actiontec part.
Close. You were right on the actiontec part.
Why is the dst a private IP and how did that packet get routed to you?
Because the DST is a private IP behind my firewall.
Why is the dst a private IP and how did that packet get routed to you?
Because the DST is a private IP behind my firewall.
Because the DST is a private IP behind my firewall.
I would think a couple of things could be happening here.
1) State table confusion in relation to actual connections
2) Port scan in progress using an uncommon flag config.
Oh thank the world for *STATEFUL* firewalls. :-)
Without supporting information I'm left with assumption and guesswork, take a look at snort.org :)
I would think a couple of things could be happening here.
1) State table confusion in relation to actual connections
2) Port scan in progress using an uncommon flag config.
Oh thank the world for *STATEFUL* firewalls. :-)
Without supporting information I'm left with assumption and guesswork, take a look at snort.org :)
Post a Comment