[pptp-server] Strange Logging
Justin Kreger
lists at earthling.2y.net
Mon Jul 9 16:37:11 CDT 2001
Its not a misconfigured windows machine..... 98% of such scans are vbs
worms on windows boxes looking for other boxen to infect. I have seen
such worms use both SMB and IRC to spread.
Justin Kreger, MCP MCSE CCNA
jkreger at earthling.2y.net jwkreger at uncg.edu justin at wss.net
On Mon, 9 Jul 2001, robert wrote:
> Aside: I'm working on updates to the rules. See
> http://home.swbell.net/berzerke for the latest version. It's up to 0.7 now.
>
> It's nothing to be concerned about. Looking at the IP's, I'm guessing eth1
> is an internet interface. Windows insists on doing broadcasts (to port 137
> from port 137) for SMB name lookups. What you're seeing is likely a
> misconfigured windows machine(s).
>
> You can stop this by try the updated rules, or simply go near the end of the
> script you are using now and comment out the prenat logging rule and re-run
> the script.
>
> On Monday 09 July 2001 09:20, Lech, Dan wrote:
> > > I keep getting a mysterious message logged to the console after I start
> > > my firewall. I know this is a pptpd list but I didn't start getting this
> > > until I setup my firewall as per the recommended howto at
> > > http://home.swbell.net/berzerke.
> > >
> > > PreNat logging.IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:c0:05:04:16:dd:08:00
> > > SRC=21
> > > 6.93.46.39 DST=216.93.46.255 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=21544
> > > PROTO=UD
> > > P SPT=137 DPT=137 LEN=58
> > >
> > >
> > > Now, these ip's aren't even close to anything that I have. Also the SRC
> > > ip changes just a little over time. Is this serious? if not, how do I
> > > stop logging it?
> > >
> > > Thanks,
> > > Dan
> >
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > --- To unsubscribe, go to the url just above this line. --
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>
More information about the pptp-server
mailing list