Re: [SLUG] Output from tcpdump

From: Smitty (a.smitty@verizon.net)
Date: Sun Aug 04 2002 - 17:03:14 EDT

On Sunday 04 August 2002 16:36, you wrote:
> While using tcpdump to learn about arp, I found some unexpected activity on
> my network, which sonsist only of:
>
> Linksys Cable/DSL router at 192.168.1.215
> RH 7.3 mail server at 192.168.1.201
> Win2K Pro at 192.168.1.1
>
> I ran tcpdump while there were no users running any programs...
> Here are the tcpdump output lines, with my questions included:
>
> 16:07:23.381067 133.65.185.24.2957 > 192.168.1.201.ssh: S
> 2350411248:2350411248(0) win 32120 <mss 1460,sackOK,timestamp 411665006
> 0,nop,wscale
> 0> (DF)
> 16:07:23.381336 192.168.1.201.ssh > 133.65.185.24.2957: S
> 816541276:816541276(0) ack 2350411249 win 5792 <mss 1460,sackOK,timestamp
> 10387441 4
> 11665006,nop,wscale 0> (DF) [tos 0x10]
> 16:07:23.599026 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 1 win 32120
> <nop,nop,timestamp 411665028 10387441> (DF)
> 16:07:23.601198 192.168.1.201.ssh > 133.65.185.24.2957: P 1:24(23) ack 1
> win 5792 <nop,nop,timestamp 10387463 411665028> (DF) [tos 0x10]
> 16:07:23.810986 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 24 win 32120
> <nop,nop,timestamp 411665049 10387463> (DF)
> 16:07:53.466782 133.65.185.24.2957 > 192.168.1.201.ssh: F 1:1(0) ack 24 win
> 32120 <nop,nop,timestamp 411668015 10387463> (DF)
> 16:07:53.467540 192.168.1.201.ssh > 133.65.185.24.2957: . ack 2 win 5792
> <nop,nop,timestamp 10390450 411668015> (DF) [tos 0x10]
> 16:07:53.467705 192.168.1.201.ssh > 133.65.185.24.2957: F 24:24(0) ack 2
> win 5792 <nop,nop,timestamp 10390450 411668015> (DF) [tos 0x10]
> 16:07:53.689100 133.65.185.24.2957 > 192.168.1.201.ssh: . ack 25 win 32120
> <nop,nop,timestamp 411668037 10390450> (DF)
>
> Is someone at 133.65.185.24 trying to ssh into my Linux box? If so, what
> log would I look at to see if they were successful?
The ip address belongs to Japan Network Information Center and yes it looks
that way.
Examine: less /var/log/xinetd.log
>
> 16:07:23.382952 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2718+
> PTR? 201.1.168.192.in-addr.arpa. (44) (DF)
> 16:07:23.418843 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2718
> NXDomain 0/1/0 (121) (DF)
> 16:07:23.419640 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2719+
> PTR? 215.1.168.192.in-addr.arpa. (44) (DF)
> 16:07:23.434479 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2719
> NXDomain 0/1/0 (121) (DF)
> 16:07:23.435482 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2720+
> PTR? 24.185.65.133.in-addr.arpa. (44) (DF)
> 16:07:23.452173 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2720
> NXDomain 0/1/0 (106) (DF)
> 16:07:23.453083 192.168.1.201.32769 > ns2.tampabay.rr.com.domain: 2721+
> PTR? 80.1.32.65.in-addr.arpa. (41) (DF)
> 16:07:23.466381 ns2.tampabay.rr.com.domain > 192.168.1.201.32769: 2721*
> 1/3/3 PTR[|domain] (DF)
>
> I'm assuming that this is some DNS resolution activity. Is this normal?
> Maybe the SMTP server is resolving an MX record or something?
> Also, the gateway often sends arp requests for 192.168.1.254, which does
> not exist... Why would it be looking for it?

That ip belongs to Internet Assigned Numbers Authority and is reserved for
special purposes. Possibly looking to exploit the address for a hack attack.
 Smitty
>
> Thanks,
>
> Doug

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:49:30 EDT