Date: Sun, 09 May 1999 04:21:48 GMT From: mike@sentex.net (Mike Tancsa) To: robert@cyrus.watson.org (Robert Watson) Cc: security@freebsd.org Subject: Re: Unusual syslog packets, crashing named... Message-ID: <37350c62.678976@mail.sentex.net> In-Reply-To: <MAILPine.BSF.3.96.990507194356.10056B-100000@fledge.watson.org> References: <MAILPine.BSF.3.96.990507194356.10056B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 May 1999 20:00:34 -0400, in sentex.lists.freebsd.misc you wrote: >This afternoon I logged some unusual packets from cp-pm4.glas.apc.org >coming into the syslog port on two of hosts (one BSD/OS, the other >FreeBSD). Since I am not in the habit of accepting [syslog] packets from >strangers, I tcpdum'd them. I've attached syslogd getting upset, a copy >of two packets in hex form, and the useful text from the packet below >that. I don't know if this is a port scan, or what it is, but sending >ports to other people's hosts using syslog is not very polite. Any takers >on what this is exactly? > >May 7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure >mode >May 7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure >mode >May 7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure >mode >May 7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure >mode > > >17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp >17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp >Useful text extracted: >(some headers) followed by ><14>ChoiceNet Block 195.218.25 >1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05 >b4 The text and the host name seem to indicate a Livingston/Lucent Portmaster 4 terminal server. ChoiceNet is their 'filtering' software. On the PMs you can configure the box to send out via syslog any filter violations. e.g. if the dialup user is set so that they are only allowed outgoing access to port 110 (POP3), but try to browse, the filter will block them, and send the message to syslog. My guess is that the person made a typo in setting his/her loghost. Are you sure its crashing named though ? or is it just a coincidence... ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37350c62.678976>