Like I was saying it's hard to say if he's been hacked, from this one message. Obviously he has been hit with scan, either automated or manually, to determine if there is a weakness in his system or not. I suspect a deeper look in the log files might dig up more information. It could just have been a harmless scan that someone dig to see what happens when you scan someone. Or it could be more sinister.
-----Original Message----- From: Dustin Decker
-----Original Message----- From: [email protected]
I've got a box running RH9.0 and in the Logwatch report
last night, I
got the following entry;
--------------------- Kernel Begin ------------------------
8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
---------------------- Kernel End -------------------------
Unfortunately, the is NOT my IP address!!! Is this telling me what I think it is, The box has been compromised????
What it indicates is that 65.70.45.21 tried eight times to make use of source routing. The short answer on source routing is that it's a feature of TCP/IP whereby you can direct the path a packet will follow. This could allow an attacker to cause traffic to pass through a host they have control of, to view its contents, etc. You can read up on this more in TCP/IP Illustrated, Volume I by the late W. Richard Stevens - aka The TCP/IP Bible.
Here's an interesting bit - do a whois on the host in question: 65.70.45.21
This turns out to be an SBC customer, most likely DSL. This is registered to a client named Gould Family Practice. I see from your signature below you're in medicine - is this where you work, or a competitor?
The good news is, the source routing attempt failed. This doesn't indicate you have been hacked, but this type of traffic certainly isn't normal. Someone is rattling the fence. Dustin