[Shorewall-users] Three way ICMP ?

Tom Eastep teastep at shorewall.net
Tue Dec 2 11:24:13 PST 2003


On Mon, 2003-12-01 at 18:04, Bill.Light at kp.org wrote:
> I'm getting 2 or three of these a day...Any ideas ?
> 
> The 192.168.250.zz  is a eth0:3  on a box that currently only has  eth0:1 
> active
> 
> Dec  1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 
> SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 
> ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz 
> LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] ]
> 
> This is the same type activity when Tom had guessed that I had been 
> compromised before - Tripwire says NO I have NOT been compromised as well 
> as anything else I can check says everything is still safe.   This box is 
> a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8.  The box 
> has been up 185 days straight (replaced UPS batteries) without a hiccup 
> the 192.168.250.zz  is in my DMZ on eth0   That DMZ box is a SuSE 9.0 
> Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without 
> any log entries except for me to get NTP working (and I don't have it 
> yet...)
> 
> The 66.228.216.22  is "SexTraffic.com" site that apparently tries to 
> enlist webmasters to "sign up" for pay site portals...
> 
> What in the dickens are they doing ?

Do you have any DNAT rules with 192.168.250.zz as the target?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list