Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: kernel: martian source

from [Christophe Lucas] Network Security [Permanent Link]
Subject: Re: kernel: martian source
Date: Tue, 24 May 2005 11:26:06 +0200 
Ben (newreaders@gmail.com) wrote:

Hi

I have messages like the following line in my log file, what can I do about 
it?

kernel: martian source [server IP] from 68.50.206.106, on dev eth0

This happens after the IP 68.50.206.106 has been dropped by PortSentry.

I have Swatch, PortSentry, Snort and GIPTables running on my CentOS 4.0 
server.

I contacted my ISP and they told me that I should be worried. I
googled these keywords but did not find any information that I could
use to fix this.

Should I be worried?


Hi,

I will answered you quickly and with I know about this.
Martians packets are due to two things:
 - Some machines infected by one virus
 - DNS answered IP target to SYN attacks : 127.0.0.1

It was decided buy ISP when too many attacks[1] are intented to one
machine to answered to IP target by "127.0.0.1".

And, infected machines by virus spoof near network IP. So in your
network or IP Block, one or few machines are infected.

So: One infected machine spoof your IP adress. And to attack is target
ask to DNS IP address of this target. DNS server has seen this joke, and
to preserve target, answered: "127.0.0.1".
This virus is dumb, and create a packet with your address as from IP and
127.0.0.1 as To IP address. The packet is send and the machine take it
the packet in his head. And here, if one connection is strange, RST
packet must be send to sender: "you".

You receive one RST packet from 127.0.0.1.

Hope this can help you,

        ~Christophe

[1] : TCP handshake not terminated.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ISA 2004 - professional opinion, Thomas W Shinder
Next by Date:  Re: kernel: martian source, Guru4u SFC
Previous by Thread:  kernel: martian source, Ben
Next by Thread:  Re: kernel: martian source, Guru4u SFC
Indexes:  [Date] [Thread] [Top] [All Lists]