[plug] attack from mars

Sol sol at autonomon.net
Fri Sep 12 11:49:30 WST 2003


Hi all,

I'm no networking guru, but checking through /var/log/messages this morning, it looks like I've just had an (attempted?) attack on my gateway. I partially understand what this means. I take it that a host called "martian" from 169.254.176.35 has had a shot at getting in via my ADSL modem (on eth1). Is this correct? Would like to know more about this for my own good. :-) 

<snip>
Sep 12 10:24:47 tesla kernel: martian source 169.254.255.255 from 169.254.176.35, on dev eth1
Sep 12 10:24:47 tesla kernel: ll header: ff:ff:ff:ff:ff:ff:00:c0:26:80:25:b5:08:00
Sep 12 10:24:47 tesla kernel: martian source 169.254.255.255 from 169.254.176.35, on dev eth1
Sep 12 10:24:47 tesla kernel: ll header: ff:ff:ff:ff:ff:ff:00:c0:26:80:25:b5:08:00
Sep 12 10:24:47 tesla kernel: martian source 169.254.255.255 from 169.254.176.35, on dev eth1
Sep 12 10:24:47 tesla kernel: ll header: ff:ff:ff:ff:ff:ff:00:c0:26:80:25:b5:08:00
</snip>

There is no message from the packet filter in the above. That kicked in a little later, but with requests from a different IP.

<snip>
Sep 12 10:40:29 tesla kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=66.98.78.13 DST=202.72.180.183 LEN=48 TOS=0x00 PREC=0xE0 TTL=109 ID=2284 DF PROTO=TCP SPT=4738 DPT=79 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (0204058C01010402)
</snip>

I don't really understand what is going on in the "martian" messages. Explanation appreciated...

ta; sol

-- 
==============================
Sol Hanna
solATautonomonDOTnet







More information about the plug mailing list