Unsure of log report entry
Dave Hull
dphull at insipid.com
Tue Oct 12 08:39:20 CDT 2004
Quoting docv <consulting at vaitl.net>:
> I've got a box running RH9.0 and in the Logwatch report last night, I
> got the following entry;
>
> --------------------- Kernel Begin ------------------------
>
>
> 8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
>
> ---------------------- Kernel End -------------------------
>
> Unfortunately, the is NOT my IP address!!! Is this telling me what I
> think it is, The box has been compromised????
I strongly doubt this means you've been compromised. ICMP packets can be source
routed, that is, the sender can specify the retrun route that should be taken
by the recipient. If I remember correctly, source routing is generally not
honored by Linux for reasons relating to security.
Looks like someone pinged you or sent you an ICMP message that specified a
source routing option. Your box did not honor that option and thus you have
this message in your logs.
Of course, I could be wrong. It's happened before.
All that said, you might think about upgrading from RH9 to something that's
currently supported by RH (i.e. Enterprise Linux or Fedora) so you are able to
keep it patched.
--
Dave Hull
http://insipid.com
More information about the Kclug
mailing list