Security Basics mailing list archives
Re: Defualt ip address out
From: "John R. Morris" <bishop () lycurgus nerdality com>
Date: Thu, 14 Aug 2003 15:15:52 -0700
Ummmm...
From what I can figure out from your post, your default gateway did not
change, but you have an eth0 with an IP of 213.151.136.2 and a virtual interface, eth0:1 with an ip of 213.151.136.3 . So, is it this virtual interface and/or it's IP address that changed, or your default route ? mikke-gw.kvalit
From what I see in your routing table, you are not doing any NAT or
routing, and what purpose the virtual interface eth0:1 is serving I cannot guess. However, let's break this down into a few questions: 1. What is the OS on your machine (I don't need versions, just Red Hat, Debian, etc.), cat /etc/issue.net or something. 2. what does ifconfig -a say ? 3. Also, the output from route -n 4. How many physical interfaces (ethernet cards, etc) are hooked up, etc. 5. Does this or is this box supposed to route, or do NAT, or anything like that ? Any reason to have a virtual interface ? 6. What error messages does ssh, etc give you, exactly ? This is not an error, that is a perfectly legitimate HTTP GET request from a lynx client.
213.151.136.3 - - [14/Aug/2003:11:58:14 +0200] "GET / HTTP/1.0" 200 4110"- " "Lynx/2.8.4rel.1 libwww-FM/2.14"
What does the rest of the log say ? What does ssh -vvv user@host say ? can you ping (for example) google.com ? traceroute to it ? If the virtual interface is unwanted, you can turn it off via ifconfig eth0:1 down, and finding whatever script or config file is creating it on your distro at boot. Unless you think your machine has been hacked. But I cannot see the purpose in creating a second interface, it would be useless unless there was other hosts on that same subnet on your physical segment. In any case, if you would like to provide more details, I'd be happy to try and help, regardless of whether it is a security issue or not. - John On 14 Aug 2003, Kenneth Hauklien wrote:
Hi. On my machine lately the outgoing default ip has changed from 2 to 3. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth0 default mikke-gw.kvalit 0.0.0.0 UG 0 0 0 eth0 root@login:~/hpbnc# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:04:20:E7:57 inet addr:213.151.136.2 Bcast:213.151.136.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:144735586 errors:0 dropped:0 overruns:0 frame:0 TX packets:156653019 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1134180310 (1.0 GiB) TX bytes:1890855543 (1.7 GiB) Interrupt:16 Base address:0xbc00 root@login:~/hpbnc# ifconfig eth0:1 eth0:1 Link encap:Ethernet HWaddr 00:50:04:20:E7:57 inet addr:213.151.136.3 Bcast:213.151.136.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 Base address:0xbc00 root@login:~/hpbnc# lynx http://echo.boomdrak.no (access.log from the server) 213.151.136.3 - - [14/Aug/2003:11:58:14 +0200] "GET / HTTP/1.0" 200 4110 "- " "Lynx/2.8.4rel.1 libwww-FM/2.14" And i get the same errors when i for example ssh out on a other machine, same with irc and the rest. Does anyone know why this is? and how to change it? Best regards Kenneth Hauklien --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Defualt ip address out Kenneth Hauklien (Aug 14)
- RE: Defualt ip address out David Gillett (Aug 14)
- Re: Defualt ip address out John R. Morris (Aug 14)