how should i interpret this??

**baldmonk** · 06-10-2005, 06:41 PM

i got these lines on my /var/log/messages

Jun 10 14:41:53 zoo kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:10:b5:10:12:98:08:00 SRC=192.168.2.34 DST=192.168.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=28132 PROTO=UDP SPT=137 DPT=137 LEN=58

Jun 10 14:13:49 zoo kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=00:04:5a:4d:ff:0f:00:30:bd:09:b1:ac:08:00 SRC=24.81.240.124 DST=192.168.2.14 LEN=48 TOS=0x10 PREC=0x00 TTL=110 ID=62013 DF PROTO=TCP SPT=2028 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0
Jun 10 14:13:52 zoo kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=00:04:5a:4d:ff:0f:00:30:bd:09:b1:ac:08:00 SRC=24.81.240.124 DST=192.168.2.14 LEN=48 TOS=0x10 PREC=0x00 TTL=110 ID=62521 DF PROTO=TCP SPT=2028 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0

well the 196.168.2.34 is my sister's computer internal ip within the a router, does this mean my sister computer is pinging mine??

and the other ip.. was that just an attempts.. or did he/she successfully got into my computer

im using arno iptatbles script...

monk

**JohnT** · 06-11-2005, 01:02 AM

IP 24.81.240.124 is "shawcable.net"....sound familiar?

**baldmonk** · 06-11-2005, 01:33 AM

i dont get it... im using comcast

as another person pointed out to me.. it was trying to connect through ftp... i dont have any ftp services running.

monk

**bburton** · 06-11-2005, 09:40 AM

baldmonk,

The first line means that your sister's computer (192.168.2.34) sent a broadcast message to your internal subnet on UDP port 137 (windows file sharing). That's no big deal.

The next lines mean that a computer with the IP address of 24.81.240.124 attempted to connect to your computer on TCP port 21 (ftp). This most likely is someone scanning your computer. I get this stuff all the time on my computer also. I don't use the same script as you use, but from what I gather, those messages mean that your firewall is functioning properly. If you'd care to post the script you're using in this forum, I can get you more detailed info of exactly what "Connection attempt (PRIV)" actually means (it is kind of vague).

Anyways, just know that people scanning you is normal. Sometimes I'll scan them back, and if they're running an SMTP server I'll kindly email them telling them to knock it off.

Hope that helps.

**baldmonk** · 06-11-2005, 01:46 PM

well i decided to stop using that script and installed shorewall.. now when i check my log, it's actually telling me what it is dropping.

and to my surprise, i had port fowarding for port 21 on my router the whole time.

**goon12** · 06-11-2005, 02:50 PM

You can could install LogWatch http://www2.logwatch.org:81/
and it will send you emails, after it analizes your logs. I find it pretty helpful.

-goon12

**baldmonk** · 06-11-2005, 09:39 PM

cool.. i'll take a look into that

thanks,

monk

Thread: how should i interpret this??

Thread Tools

Display

how should i interpret this??

Posting Permissions