[CS-FSLUG] Networking details #4 - switch

Fri Dec 10 12:32:20 CST 2004

Hmmm....  That is very curious.  It tries to go out via tun0.  Do you have a tunnel
set up on your Unix box?  Basically something is trying to download *something*
from a particular web-site.  I glanced at 216.91.137.16 to see what it was, and it
returned that I was unable to view the web page.  But it says that it is a virtual
server.  These are often virtual based on IP or URL that you reached it by.

What does all this mean?  Well, I would agree with Josiah that it looks like
something might be hacked.  If you have a tun0 but did not set it up, it could be
the firewall computer.  :(  But it could also be from the switch, though I doubt
that a little.  Actually, I looked up the AOW-605U in securityfocus.net, and it
does not show up as having any particular vulnerabilities.  That is not conclusive,
of course, but it leads me to believe it is something else.

I would do two things.
1) plug it back in and see if you can get a tcpdump of the traffic that is getting
blocked.
2) see if you have a tun0 running and know why.  It could be something that FreeBSD
does for PPP or something.  On Linux boxes it is a tunnel, and is really only set
up by people who know what they are doing to bypass security or set up fairly
complex securit configurations.  If this were a Linux box I would assume the box
itself had been hacked and was trying to download a payload from an external site.
:)

Of course, There are a number of unanswered questions.  First, who is:
208.31.27.28?  That may be the same network that you dial up to to send out your
emails (you sent your previous email from: 208.31.95.126).  It could have been from
your box itself, with the IP that you had from your ISP.

When you dial-up to the Internet, PPP (on Linux, of course) usually makes an entry
in the syslog with the IP that you are given.  So you should be able to look back
to the time when these logs were made and see what IP address you had at the time.

I am very curious right about now...  But it sounds like you have enough other
problems at this time with your wife's computer and all...

    - Tim

Ed Hurst wrote:

> Tim Young wrote:
> > Could you send us the firewall log of a few of the packets that may have been
> > coming from the switch?
> >
> >     - Tim Young
>
> Sure, but only to satisfy my curiosity. Parse:
>
> date/time, machine name, kernel, firewall program, rule#, offending IP,
> target IP, incoming/outgoing, etc.
>
> Dec  9 18:34:20 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:64219
> 216.91.137.16:80 out via tun0
> Dec  9 18:34:28 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:65365
> 216.91.137.16:80 out via tun0
> Dec  9 18:35:09 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:53001
> 216.91.137.16:80 out via tun0
> Dec  9 18:35:16 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:64108
> 216.239.63.104:80 out via tun0
> Dec  9 18:35:16 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:49274
> 216.91.137.16:80 out via tun0
> Dec  9 18:35:24 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:64219
> 216.91.137.16:80 out via tun0
> Dec  9 18:35:32 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:65365
> 216.91.137.16:80 out via tun0
> Dec  9 18:36:13 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:53001
> 216.91.137.16:80 out via tun0
> Dec  9 18:36:20 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:64108
> 216.239.63.104:80 out via tun0
> Dec  9 18:36:20 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:49274
> 216.91.137.16:80 out via tun0
> Dec  9 18:36:28 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:64219
> 216.91.137.16:80 out via tun0
> Dec  9 18:36:36 thud kernel: ipfw: 1000 Deny TCP 208.31.27.28:65365
> 216.91.137.16:80 out via tun0
>
> My IP at the time was 208.31.95.128
>
> --
> Ed Hurst
> -----------
> A Bible Site -- http://webs.tconline.net/softedges/
> Linux & Unix Help -- http://ed.asisaid.com/
> Blog -- http://ed.asisaid.com/blog/
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com