Solved

Just some information

Posted on 2004-09-02
2
325 Views
Last Modified: 2010-04-22
I wonder how to interprete the messages below correctly. The complete list is much longer but I guess this part will do.

Can someone explain in simple words what is happening and most important: can I or have I something to do about this? Are they getting something or is it just a message I get of the try?

The MAC=xxxxx is always the same. Is this the mac of my server or from the guy that wants to get in?

Thanks
Filips

Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.61 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34076 DF PROTO=TCP SPT=2130 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.62 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34077 DF PROTO=TCP SPT=2131 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.63 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34078 DF PROTO=TCP SPT=2132 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.64 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34079 DF PROTO=TCP SPT=2133 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:18:30 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=220.79.245.153 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=34080 DF PROTO=TCP SPT=2134 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57186 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57188 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:23:57 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57191 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57498 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57501 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:00 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=57502 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58119 DF PROTO=TCP SPT=2416 DPT=2745 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58122 DF PROTO=TCP SPT=2418 DPT=1025 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:24:07 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=212.204.185.189 DST=182.104.226.65 LEN=48 TOS=0x00 PREC=0x20 TTL=121 ID=58123 DF PROTO=TCP SPT=2421 DPT=6129 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.61 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60425 DF PROTO=TCP SPT=2127 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.62 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60426 DF PROTO=TCP SPT=2128 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Sep  1 04:42:32 bac-75 kernel: IN=eth0 OUT= MAC=00:11:3a:2e:9e:2a:00:81:70:80:b0:3f:18:00 SRC=210.116.107.30 DST=182.104.226.63 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=60427 DF PROTO=TCP SPT=2129 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
0
Comment
Question by:Filips
2 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
Comment Utility
Since you don't say I'm going to assume that eth0 is your outside interface and that you have more than one outside IP in the range 182.104.226.61-65.

The data presented look to be probes from various outside IPs for a vulnerable Radmin (windows) service.The Radmin service listens on 4899/TCP and all of the destination ports are that port (DPT=4899).

Since this is a Linux IPtables firewall there's no risk as long as you don't forward 4899/TCP to an internal windows box. I don't know what your iptables rules are and consequently don't know what is being logged, but I'd presume those log messages are as the result of the connection being denied & logged.
0
 
LVL 6

Author Comment

by:Filips
Comment Utility
That was exactly what I wanted to hear. You made my day.

btw You are right. This server is on the internet and only has eth0 with 81-85 as ip's.

Thanks jlevie
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now