[Shorewall-users] Three way ICMP ?

Bill.Light at kp.org Bill.Light at kp.org
Mon Dec 1 18:04:55 PST 2003


I'm getting 2 or three of these a day...Any ideas ?

The 192.168.250.zz  is a eth0:3  on a box that currently only has  eth0:1 
active

Dec  1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 
SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 
ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz 
LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] ]

This is the same type activity when Tom had guessed that I had been 
compromised before - Tripwire says NO I have NOT been compromised as well 
as anything else I can check says everything is still safe.   This box is 
a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8.  The box 
has been up 185 days straight (replaced UPS batteries) without a hiccup 
the 192.168.250.zz  is in my DMZ on eth0   That DMZ box is a SuSE 9.0 
Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without 
any log entries except for me to get NTP working (and I don't have it 
yet...)

The 66.228.216.22  is "SexTraffic.com" site that apparently tries to 
enlist webmasters to "sign up" for pay site portals...

What in the dickens are they doing ?


More information about the Shorewall-users mailing list