Help against Martian please
Brad Chapman
kakadu_croc@yahoo.com
Sun, 28 Oct 2001 05:27:25 -0800 (PST)
Mr. Frank,
I'm CC'ing this to netfilter, so that others can benefit from our
discussion.
--- Frank <duranicub@gmx.net> wrote:
>
>
> From: "Brad Chapman" <kakadu_croc@yahoo.com>
>
> > Mr. Frank,
> >
> > --- Frank <duranicub@gmx.net> wrote:
> > > Hallo Mr. Brad
> > >
> > > i have an strange and serious Problem since 3 Days constant. I asked the
> > > List but no efficient Help
> > > comes from and i martered Google too. I readed all Sites all Manpages
> but no
> > > Solution was found.
> > > I hope you can help if you want.
> > >
> > > there are 2 Switsches, 2 Persons and 5 Boxes.
> > >
> > > Network: 192.168.0./255.255.2550
> > > 0.10 = Box from my Friend with Iptables and Redhat 7.1 Isdn DialUP
> > > 0.12 = Box of mine with Iptables and Redhat 7.2 Adsl Dialup but alway
> > > connected
> > > the Rest are Windows Clients and bevore the last 3 Day everything with
> us 5
> > > gone good
> > >
> > > Switch1 -----Uplink-----Switch2
> > > | | |
> > > 0.10 0.12 adsl
> > > | |
> > > | | |
> > > 0.2 0.11 0.1
> >
> > Ummmm.... was it this?
> >
> > Switch1 <---> Uplink <---> Switch2
> > | |
> > | |
> > 192.168.0.10 192.168.0.12
> > | |
> > | |
> > Frank's network Friend's network
> >
> > >
> > > Only Change was me i think, installed RH7, Kernel 2.4.13 and Iptables
> 2.4.4.
> > > Everything work like ever but new are the Martians to my Syslog
> > >
> > > Netstat -nr
> > > Ziel Router Genmask Flags MSS Fenster irtt
> > > Iface
> > > 217.5.98.17 0.0.0.0 255.255.255.255 UH 40 0 0
> > > ppp0
> > > 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
> > > eth0
> > > 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
> lo
> > > 0.0.0.0 217.5.98.17 0.0.0.0 UG 40 0 0
> > > ppp0
> > >
> > > netstat -i
> > > Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP
> TX-OVR
> > > Flg
> > > eth0 1500 0 508901 0 0 0 482306 0 0
> 0
> > > BMRU
> > > lo 16436 0 4123 0 0 0 4123 0 0
> 0
> > > LRU
> > > ppp0 1492 0 3616 0 0 0 2642 0 0
> 0
> > > MOPRU
> > >
> > > 217.x.x.x is my adsl Range from my ISP
> > >
> > > Syslog:
> > > Oct 28 13:14:04 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:14:04 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:14:05 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:14:05 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:14:06 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:14:06 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:26:10 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:26:10 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:26:11 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:26:11 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:26:12 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:26:12 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:38:17 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:38:17 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:38:18 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:38:18 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > > Oct 28 13:38:19 Frankux kernel: martian source 192.168.0.12 from
> > > 145.254.202.177, on dev eth0
> > > Oct 28 13:38:19 Frankux kernel: ll header:
> > > ff:ff:ff:ff:ff:ff:00:e0:7d:01:d5:c9:08:06
> > >
> > > 00:e0:7d:01:d5:c9:08:06 = THE MAC OF 192.168.0.10
> >
> > OK. Who is 145.254.202.177? It seems to me that either your friend's
> > system is misconfigured, a M$ Win32 zombie is spewing packets somewhere,
> or
> > else somebody is trying to spoof their way into your network (and failing
> > miserably :))))))
>
>
> 145.254.202.177 is the Range from HIS ISP
> Yeah thats the Question, is it an Attack ore an misconfigured System from us
Well, if it's coming from HIS ADSL address range, then it's probably a
spoof attack from a zombie on his network. Or, one of his systems has
been compromised.
>
>
> > > cat /proc/net/ip_conntrack
> > >
> > > tcp 6 426289 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > sport=46228 dport=40493 [UNREPLIED] src=145.254.202.177
> dst=217.82.41.184
> > > sport=40493 dport=46228 use=1
> > > tcp 6 426283 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > sport=46228 dport=36172 [UNREPLIED] src=145.254.202.177
> dst=217.82.41.184
> > > sport=36172 dport=46228 use=1
> > > tcp 6 426278 ESTABLISHED src=217.82.41.184 dst=145.254.202.177
> > > sport=46228 dport=42050 [UNREPLIED] src=145.254.202.177
> dst=217.82.41.184
> > > sport=42050 dport=46228 use=1
> >
> > Yup. This confirms it. Looks like a M$ Win32 zombie to me, although
> > why your friend's firewall isn't at least NATting it....... Hmmm......
>
> Yes. He use like me masquerading
>
> >Not your friend. Probably one of his systems. LISB, there may be a
> > zombie somewhere behind his ADSL link. ITM, just do this:
> >
> > iptables -t mangle -A PREROUTING -s 145.254.202.177 -j DROP
>
> Yes but he has dynamic Ipīs
Yuck. Well, then, I suggest you make the matter even clearer to him ;)
>
> > Then rag on your friend until he either smashes his systems or scans
> > them for zombies ;)
>
> Ok but How he or me can do this ? especially with Windowzes ; -)
IIRC, Norton AntiVirus will find Trojans. A free firewall like ZoneAlarm
for Win32 systems, AFAIK, could also block Trojan attacks.
>
>
> Greetz and Thanks
>
> Frank
>
Brad
=====
Brad Chapman
Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com