UPDATE: more SSH hacking
Scot L. Harris
webid at cfl.rr.com
Tue Aug 10 13:00:51 UTC 2004
On Tue, 2004-08-10 at 04:54, Brian Fahrlander wrote:
> I was just noticing, while trying to reload a machine with FC1 (long
> story- don't ask) I was watching the log and noticed something I noticed
> earlier:
>
> Aug 10 03:45:24 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=18935 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
> Aug 10 03:45:30 evv kernel: firewall: IN=eth1 OUT= MAC=00:00:c0:d9:5b:98:00:01:30:08:dc:00:08:00 SRC=221.15.178.84 DST=63.69.210.36 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=20211 DF PROTO=TCP SPT=4262 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
>
> <slight delay here and then:>
> Aug 10 03:45:45 evv kernel: martian destination 0.0.0.0 from 65.218.63.155, dev eth1
>
>
> I'm no firewall-guru, but this having happened more than once, I get
> the feeling our new SSH-hacking friend might be trying to get around the
> firewall.
>
> Does anyone else concur?
Double check your system and make sure port 1025 is closed or disabled.
That appears to be the port they are trying to hit. What I find
interesting is the MAC address info. It appears to be a IPV6 MAC
address not a IPV4 (to many octets). If you don't need IPV6 you may
want to disable that as well.
A quick google on port 1025 had it listed in one place as network
blackjack. Not sure how accurate that is. But most likely this just
someone scanning various ports for something open or for a specific
exploit on a service that uses port 1025.
--
Scot L. Harris <webid at cfl.rr.com>
More information about the fedora-list
mailing list