Like I was saying it's hard to say if he's been hacked, from this one message. Obviously he has been hit with scan, either automated or manually, to determine if there is a weakness in his system or not. I suspect a deeper look in the log files might dig up more information. It could just have been a harmless scan that someone dig to see what happens when you scan someone. Or it could be more sinister.
-----Original Message----- From: Dustin Decker
-----Original Message----- From: [email protected]
I've got a box running RH9.0 and in the Logwatch report
last night, I
got the following entry;
--------------------- Kernel Begin ------------------------
8 Time(s): ICMP: 65.70.45.21: Source Route Failed.
---------------------- Kernel End -------------------------
Unfortunately, the is NOT my IP address!!! Is this telling me what I think it is, The box has been compromised????
What it indicates is that 65.70.45.21 tried eight times to make use of source routing. The short answer on source routing is that it's a feature of TCP/IP whereby you can direct the path a packet will follow. This could allow an attacker to cause traffic to pass through a host they have control of, to view its contents, etc. You can read up on this more in TCP/IP Illustrated, Volume I by the late W. Richard Stevens - aka The TCP/IP Bible.
Here's an interesting bit - do a whois on the host in question: 65.70.45.21
This turns out to be an SBC customer, most likely DSL. This is registered to a client named Gould Family Practice. I see from your signature below you're in medicine - is this where you work, or a competitor?
The good news is, the source routing attempt failed. This doesn't indicate you have been hacked, but this type of traffic certainly isn't normal. Someone is rattling the fence. Dustin
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Densmore Sent: Tuesday, October 12, 2004 11:02 AM To: [email protected] Subject: RE: Unsure of log report entry
Like I was saying it's hard to say if he's been hacked, from this one message. Obviously he has been hit with scan, either automated or manually, to determine if there is a weakness in his system or not. I suspect a deeper look in the log files might dig up more information. It could just have been a harmless scan that someone dig to see what happens when you scan someone. Or it could be more sinister.
Which is why I asked the question that I did. This is the fun part of administration, where we gat to play strategist. (Not entirely unlike what lots of three-letter agencies do, and the results are similar if you ask me.)
What's the most important thing you can do with the limited information at hand? Place it into context. Obviously, I can speculate all I like, but in the absence of more information cannot provide any more information than I have. Alas, this is what was asked for.
D.
-
Brian Densmore -
Dustin Decker