Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Am I being attacked

Status
Not open for further replies.

Abernut

IS-IT--Management
Jul 18, 2007
14
US
I've recently noticed a HUGE increase in the number of Denies in my log. I am also not sure what the RE-TO are.

05/07/10 08:42 iked[153]: RE-TO 99.21.27.62 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:42 iked[153]: RE-TO 99.21.27.62 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:43 iked[153]: Deleting SA: peer 99.21.27.62
05/07/10 08:43 iked[153]: my_cookie BBE0B70D3DE0E55B
05/07/10 08:43 iked[153]: peer_cookie 0000000000000000
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)05/07/10

08:47 firewalld[133]: deny in eth0 58 udp 20 108 74.75.133.225 xxx.xxx.xxx.34 22944 47965 (default)
05/07/10 08:47 firewalld[133]: deny in eth0 58 udp 20 108 74.75.133.225 xxx.xxx.xxx.34 22944 47965 (default)
05/07/10 08:47 firewalld[133]: deny in eth0 48 tcp 20 106 74.197.221.203 xxx.xxx.xxx.34 50815 47965 syn (default)
05/07/10 08:47 firewalld[133]: deny in eth0 61 udp 20 107 68.44.26.115 xxx.xxx.xxx.34 26520 47965 (default)
05/07/10 08:49 kernel: ipsec: Acquiring keys for channel 18
05/07/10 08:49 iked[153]: Acquiring key for channel/policy 18/0
05/07/10 08:49 iked[153]: TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:50 iked[153]: Deleting SA: peer 208.125.116.114
05/07/10 08:50 iked[153]: my_cookie C6ECC523997519B7
05/07/10 08:50 iked[153]: peer_cookie 0000000000000000
 
looks like these IP's are trying to set up VPN connections - would suggest doing a WHOIS to find the sources and decifing then - if they're legit companies they may have been given a wrong address. If not possibly probes for IPSEC vulnerabilities.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top