Unsure of log report entry
Dustin Decker
dustin.decker at 1on1security.com
Tue Oct 12 10:27:59 CDT 2004
> -----Original Message-----
> From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> Of docv
> Sent: Tuesday, October 12, 2004 7:38 AM
> To: kclug at kclug.org
> Subject: Unsure of log report entry
>
> I've got a box running RH9.0 and in the Logwatch report last night, I
> got the following entry;
>
> --------------------- Kernel Begin ------------------------
>
>
> 8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
>
> ---------------------- Kernel End -------------------------
>
> Unfortunately, the is NOT my IP address!!! Is this telling me what I
> think it is, The box has been compromised????
What it indicates is that 65.70.45.21 tried eight times to make use of
source routing. The short answer on source routing is that it's a feature
of TCP/IP whereby you can direct the path a packet will follow. This could
allow an attacker to cause traffic to pass through a host they have control
of, to view its contents, etc. You can read up on this more in TCP/IP
Illustrated, Volume I by the late W. Richard Stevens - aka The TCP/IP Bible.
Here's an interesting bit - do a whois on the host in question:
65.70.45.21
This turns out to be an SBC customer, most likely DSL. This is registered
to a client named Gould Family Practice. I see from your signature below
you're in medicine - is this where you work, or a competitor?
The good news is, the source routing attempt failed. This doesn't indicate
you have been hacked, but this type of traffic certainly isn't normal.
Someone is rattling the fence.
Dustin
More information about the Kclug
mailing list