diff for duplicates of <loom.20060818T212303-706@post.gmane.org> diff --git a/a/1.txt b/N1/1.txt index a3faba5..3288105 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -3,8 +3,42 @@ Hello, My iptables based firewall seem to be working, However, I keep getting triplets of this activity: -source dest. proto info -rouge.ip www.me.com tcp +Problem (2286 > netbios-ssn) +source dest. proto info +curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460 +www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 +Win=0 Len=0 + +Any ideas on a rule to drop these requests to my web server? + +similarly I see the same thing except the info section is slightly +different: +similar problem (2469 > microsoft-ds) +rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460 + +and the response from my firewall is simialr +www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 +Win=0 Len=0 + +Other problems are (info section is only difference) epmap > 3081 + 3081 > epmap + +Each of these appear in tripplets... and seem useless. Are they +part of something stupidly done by microsoft? I think not +because they occur quite frequently, almost systematcially, +leading me to suspect they are part of nefarious activities? + +The only change is the port numbers (2286; 2469; 3081) and the +source IP address change after each triplet of queries. + +Any ideas, information and iptables rules to silently drop these +queries are most welcome. I see them all day long. + + +James + + + -- gentoo-user@gentoo.org mailing list diff --git a/a/content_digest b/N1/content_digest index db672f4..f5486fe 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,10 +2,10 @@ "From\0James <wireless\@tampabay.rr.com>\0" ] [ - "Subject\0[gentoo-user] blocking netbios-ssn rule?\0" + "Subject\0[gentoo-user] OT: A netbios-ssn blocking rule?\0" ] [ - "Date\0Fri, 18 Aug 2006 19:24:54 +0000 (UTC)\0" + "Date\0Fri, 18 Aug 2006 19:59:59 +0000 (UTC)\0" ] [ "To\0gentoo-user\@lists.gentoo.org\0" @@ -22,11 +22,45 @@ "My iptables based firewall seem to be working, However, I keep getting\n", "triplets of this activity:\n", "\n", - "source dest. proto info\n", - "rouge.ip www.me.com tcp\n", + "Problem (2286 > netbios-ssn)\n", + "source dest. proto info\n", + "curious.ip www.me.com tcp 2286 > netbios-ssn Seq=0 Len=0 MSS=1460\n", + "www.me.com curious.ip tcp netbios-ssn > 2286 [RST, ACK] Seq=0 Ack=1 \n", + "Win=0 Len=0\n", + "\n", + "Any ideas on a rule to drop these requests to my web server?\n", + "\n", + "similarly I see the same thing except the info section is slightly \n", + "different:\n", + "similar problem (2469 > microsoft-ds)\n", + "rouge.ip www.me.com tcp 2469 > microsoft-ds Seq=0 Len=0 MSS=1460\n", + "\n", + "and the response from my firewall is simialr\n", + "www.me.com rouge.ip tcp microsoft-ds > 2469 [RST, ACK] Seq=0 Ack=1 \n", + "Win=0 Len=0\n", + "\n", + "Other problems are (info section is only difference) epmap > 3081\n", + " 3081 > epmap\n", + "\n", + "Each of these appear in tripplets... and seem useless. Are they\n", + "part of something stupidly done by microsoft? I think not\n", + "because they occur quite frequently, almost systematcially,\n", + "leading me to suspect they are part of nefarious activities?\n", + "\n", + "The only change is the port numbers (2286; 2469; 3081) and the \n", + "source IP address change after each triplet of queries.\n", + "\n", + "Any ideas, information and iptables rules to silently drop these \n", + "queries are most welcome. I see them all day long.\n", + "\n", + "\n", + "James\n", + "\n", + "\n", + "\n", "\n", "-- \n", "gentoo-user\@gentoo.org mailing list" ] -ec49a4f10cbf3358b489e3bdf9d71c608b7db081e1b54cc215207dd827c321c9 +8d420b34dde2fac18fc4a4f30297d418ee049454a4b3dc4cf7a319655d9d0e80
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox