[CS-FSLUG] Networking details #3 -- partly working

[Ed Hurst]

Frank Bax wrote:
> At 03:07 PM 12/8/04, Ed Hurst wrote:
> 
>>The curious thing is something I've never seen: logging of connections
>>denied using what looks like my dynamically assigned IP from the ISP.
>>That is, something between these two machines is attempting to connect
>>to port 80 on other machines, but looks to be using my temporary IP via
>>the ethernet interface. That's a whole 'nother mess to look at.
> 
> There are some virii that attempt to spread this way.  They are trying to 
> exploit vulnerabilities in IIS using random ip addresses.

Here's a sample to clarify. The first two lines are what I expected,
having not found a way to give the XP box permit through my firewall:

Dec  8 14:54:55 thud kernel: ipfw: 1000 Deny UDP 192.168.1.2:1027
65.90.176.11:53 out via tun0
Dec  8 14:54:55 thud kernel: ipfw: 1000 Deny UDP 192.168.1.2:1027
208.23.212.253:53 out via tun0

You'll note the source IP (192.168.1.2) is what I assigned the XP box.
The destinations are the two DNS servers. They were trying to use the
'tun0' interface, which is the standard ppp for FreeBSD. These next
entries puzzled me:

Dec  8 14:55:48 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:55781
216.154.201.125:80 out via tun0
Dec  8 14:55:56 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:57640
216.154.201.125:80 out via tun0
Dec  8 14:55:58 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:58297
216.154.201.125:80 out via tun0

At that moment, IP 208.31.95.146 was the dynamically assigned addy from
my ISP. The ports used were way up there. The destination is unknown to
me. Doing a 'whois' didn't give me much to go on, nor anything I
recognized offhand. Something on her machine grabbed the IP I was given,
and tried to use it.

Any ideas?

-- 
Ed Hurst
-----------
A Bible Site -- http://webs.tconline.net/softedges/
Linux & Unix Help -- http://ed.asisaid.com/
Blog -- http://ed.asisaid.com/blog/