Firewall acting strange, got cracked?

Viewing 1 reply thread
  • Author
    • #1247


      I have a suse linux 10.2 as firewall, recently I thought it is acting strange.

      1. some of routing got changed, output of “netstat -rn” doesn’t match “yast2 lan” routing setup. “yast2 lan” setup is correct.

      2. from “dmesg”, it seems some correct package has been dropped,


      Did I get cracked? I thought it is SuSE Linux 10.2 issue, maybe I am wrong.
      How do I verify it?
      How can I fix?

      Thanks for the help

    • #12331

      The first record looks like traffic on udp/1026 which is used for windows messaging service. Win-rpc is used for windows messenger popup spam.  My firewalls sees thousands of these records too.

      As this is UDP it is HIGHLY likely that the source address is forged.

      Interestingly a whois on reveals:

      OrgName:    DoD Network Information Center
      OrgID:      DNIC
      Address:    3990 E. Broad Street
      City:      Columbus
      StateProv:  OH
      PostalCode: 43218
      Country:    US

      NetRange: –
      NetName:    DISNET
      NetHandle:  NET-22-0-0-0-1
      NetType:    Direct Allocation
      Comment:    Defense Information Systems Agency
      Comment:    7990 Science Applications Court
      Comment:    Vienna, VA 22183-7000 US
      RegDate:    1989-06-26
      Updated:    2001-10-11

      RTechHandle: MIL-HSTMST-ARIN
      RTechName:  Network DoD
      RTechPhone:  +1-800-365-3642
      RTechEmail:  **********

      OrgTechHandle: MIL-HSTMST-ARIN
      OrgTechName:  Network DoD
      OrgTechPhone:  +1-800-365-3642
      OrgTechEmail:  **********

      All destination addresses are based in China, as well as the originating addresses, excluding the DoD address.

      The remaining records have a destination of tcp/80.  They are all ACK or FIN/ACKs and are invalid packets.

      One reason for a bad/invalid packet is that it is malformed in some way. this could be due to the packet being corrupted in transit. It could also be that the traffic is from out of sequence packets being dropped.

      This traffic could be the result of a scan/attack that is attempting to inject a packet by attempting to guess the ISN. This will allow the attacker to take control of the packet stream by completing the 3-way handshake. This could result in compromise. This scenario seems somewhat unlikely though.

      This type of attack is common from the location of these IPs BTW.

      What services are you running that are open on the firewall?

      What exactly has changed in your routing table?

      If you think that you have been compromised you might want to look for signs of a rootkit or backdoor.


Viewing 1 reply thread
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?