Firewall-Question: How is this working?

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Tue Aug 10 14:00:00 UTC 2004


Am Di, den 10.08.2004 schrieb Thomas Bitschnau um 15:34:

> I use "firestarter" to configure my firewall. I am not expert in
> linux-networking, so my question might be a bit "low-leveled".
> If I take a look at my hitlist, there are some portscans and stuff, but
> I dont understand this entry:
> 
> Time: Aug 10 15:14:00 Source: 192.168.0.2 Destination: 200.55.90.253 In
> IF:  Out IF: eth0 Port: 1234 Length: 44 ToS: 0x00 Protocol: tcp Service:
> subseven

http://logi.cc/linux/netfilter-log-format.php3

explains the entries of unmodified netfilter log entries. It seems
firestarter changes the logging a bit.

> Isn't subseven an trojan-tool?

Yes, it is. The above line tells you: the host with IP 192.168.0.2 did
connect the host with IP 200.55.90.253 on port 1234, going through
interface eth0. I guess you did not copy&paste but mistyped the log line
a bit. The port should be 1243 and it is a well known port for the
SubSeven trojan. I guess firestarter has a list of these ports (it is
not stored in /etc/services). See

http://www.glocksoft.com/trojan_list/SubSeven.htm

> And the most disturbing thing is, that the source (i.e. "192.168.0.2")
> is my local ip-address in our home-network.

I hope you have an anti-virus scanner on the host with IP 192.168.0.2
(guessing it is a Windows[tm] machine).

> How is this possible and is my machine really sending portscans or what
> else does this hit tell me?

Connecting a port on a foreign host does not necessarily mean
portscanning. Check the host under your control. If you don't have
permissions then block those connections you don't want to allow.

Btw. the named port on the foreign host is open and shows

1234/tcp open  hotline?

You may have a software on host 192.168.0.2 which is "telephoning home".

> Thomas B.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp 
Serendipity 15:46:44 up 6 days, 9:14, load average: 0.11, 0.09, 0.05 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040810/4eba9697/attachment-0001.sig>


More information about the fedora-list mailing list