Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Just some information

I wonder how to interprete the messages below correctly. The complete list is much longer but I guess this part will do.

Can someone explain in simple words what is happening and most important: can I or have I something to do about this? Are they getting something or is it just a message I get of the try?

The MAC=xxxxx is always the same. Is this the mac of my server or from the guy that wants to get in?

Thanks
Filips

Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.61 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34076 DF PROTO=TCP SPT=2130 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.62 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34077 DF PROTO=TCP SPT=2131 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.63 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34078 DF PROTO=TCP SPT=2132 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.64 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34079 DF PROTO=TCP SPT=2133 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34080 DF PROTO=TCP SPT=2134 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57186 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57188 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57191 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57498 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57501 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57502 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58119 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58122 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58123 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.61 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60425 DF PROTO=TCP SPT=2127 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.62 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60426 DF PROTO=TCP SPT=2128 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.63 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60427 DF PROTO=TCP SPT=2129 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
0
Filips
Asked:
Filips
1 Solution
 
jlevieCommented:
Since you don't say I'm going to assume that eth0 is your outside interface and that you have more than one outside IP in the range 182.104.226.61-65.

The data presented look to be probes from various outside IPs for a vulnerable Radmin (windows) service.The Radmin service listens on 4899/TCP and all of the destination ports are that port (DPT=4899).

Since this is a Linux IPtables firewall there's no risk as long as you don't forward 4899/TCP to an internal windows box. I don't know what your iptables rules are and consequently don't know what is being logged, but I'd presume those log messages are as the result of the connection being denied & logged.
0
 
FilipsAuthor Commented:
That was exactly what I wanted to hear. You made my day.

btw You are right. This server is on the internet and only has eth0 with 81-85 as ip's.

Thanks jlevie
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now