Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Am I being attacked

Status
Not open for further replies.
Abernut

Abernut

IS-IT--Management
Jul 18, 2007
14
US
I've recently noticed a HUGE increase in the number of Denies in my log. I am also not sure what the RE-TO are.

05/07/10 08:42 iked[153]: RE-TO 99.21.27.62 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:42 iked[153]: RE-TO 99.21.27.62 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:43 iked[153]: Deleting SA: peer 99.21.27.62
05/07/10 08:43 iked[153]: my_cookie BBE0B70D3DE0E55B
05/07/10 08:43 iked[153]: peer_cookie 0000000000000000
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)
05/07/10 08:46 firewalld[133]: deny in eth0 48 tcp 20 109 24.241.126.85 xxx.xxx.xxx.34 63199 47965 syn (default)05/07/10

08:47 firewalld[133]: deny in eth0 58 udp 20 108 74.75.133.225 xxx.xxx.xxx.34 22944 47965 (default)
05/07/10 08:47 firewalld[133]: deny in eth0 58 udp 20 108 74.75.133.225 xxx.xxx.xxx.34 22944 47965 (default)
05/07/10 08:47 firewalld[133]: deny in eth0 48 tcp 20 106 74.197.221.203 xxx.xxx.xxx.34 50815 47965 syn (default)
05/07/10 08:47 firewalld[133]: deny in eth0 61 udp 20 107 68.44.26.115 xxx.xxx.xxx.34 26520 47965 (default)
05/07/10 08:49 kernel: ipsec: Acquiring keys for channel 18
05/07/10 08:49 iked[153]: Acquiring key for channel/policy 18/0
05/07/10 08:49 iked[153]: TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:49 iked[153]: RE-TO 208.125.116.114 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
05/07/10 08:50 iked[153]: Deleting SA: peer 208.125.116.114
05/07/10 08:50 iked[153]: my_cookie C6ECC523997519B7
05/07/10 08:50 iked[153]: peer_cookie 0000000000000000
 
Sort by date Sort by votes
looks like these IP's are trying to set up VPN connections - would suggest doing a WHOIS to find the sources and decifing then - if they're legit companies they may have been given a wrong address. If not possibly probes for IPSEC vulnerabilities.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
322
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
283
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
335
Johnkite
Johnkite
MrPB
  • Locked
  • Question
Am I being hacked/spied on?
Replies
7
Views
149
kjv1611
kjv1611
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
282
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top