[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] martian source messages



Alle 10:23, giovedì 18 settembre 2003, Pep Serrano ha scritto:
> But is this the real cause of our martian logs?
>
> > On Sep 18, Roland Freeman <rolandfreeman@xxxxxxxxx> wrote:
> > > Pep, we have the same problem. My P-t-P router has a private ip address
> > > too.  Everything works properly, except the marsians log.
> >
> > A private IP address as gateway is not necessarily a problem. ISP's use
> > this to save IP addresses and it is in no way bad for anyone. As long as
> > they are not used in the route back to you, which isn't the case as you
> > stated.
>
> Last night I spent some time with ethereal tracking my traffic between the
> loopback and my ppp0. I could see there are some packets from localhost on
> port 80 to random ports of ppp0. This packet repeats abour every minute. I
> closed almost all services, disabled routing, no applications... lsof
> didn't show any process using localhost:80, and yet the werid traffic was
> still there.
>
>
> Cheers
> Pep Serrano.

I did the same, and  found the same results. All the packets are from port 80 
to a high port on ppp0. Logs report "ll header: 45:00:00:28"
While receiving this packets (from localhost:80) I am not even surfing the 
web, but they still arrives.
All tcp packets I have seen have the RST ACK flags set.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here