Monday 29 July 2013

Compromised SG580 - Confirmation? Suggestions? Any Ideas welcome!

Best I can figure, our SG580 has been compromised but I'd really appreciate a second opinion. It looks like it's being used as a proxy but I can't tell exactly what's going on.

Apologies in advance about the formatting, I've made it as clear as I could. Little help mods?

Here are the logs from bootup.

Jan 25 12:04:38 syslogd started: BusyBox v1.00 (2007.08.13-12:04+0000)

syslogd: cannot write to remote file handle on xx.xx.xx.xx:514 - Network is unreachable

Jan 25 12:04:38 kernel: klogd started: BusyBox v1.00 (2007.08.13-12:04+0000)

Jan 25 12:04:38 kernel: Linux version 2.4.31-uc0 (build@sgbuild) (gcc version 3.3.2) #1 Mon Aug 13 21:55:19 EST 2007

Jan 25 12:04:38 kernel: CPU: XScale-IXP4xx/IXC11xx revision 2

Jan 25 12:04:38 kernel: Machine: CyberGuard/SG580

Jan 25 12:04:38 kernel: alloc_bootmem_low

Jan 25 12:04:38 kernel: memtable_init

Jan 25 12:04:38 kernel: On node 0 totalpages: 16384

Jan 25 12:04:38 kernel: zone(0): 16384 pages.

Jan 25 12:04:38 kernel: zone(1): 0 pages.

Jan 25 12:04:38 kernel: zone(2): 0 pages.

Jan 25 12:04:38 kernel: Kernel command line: console=null serialnum=0601451109290786

Jan 25 12:04:38 kernel: Relocating machine vectors to 0xffff0000

Jan 25 12:04:38 kernel: Calibrating delay loop... 527.56 BogoMIPS

Jan 25 12:04:38 kernel: Memory: 64MB = 64MB total

Jan 25 12:04:38 kernel: Memory: 62472KB available (1731K code, 347K data, 244K init)

Jan 25 12:04:38 kernel: Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)

Jan 25 12:04:38 kernel: Inode cache hash table entries: 4096 (order: 3, 32768 bytes)

Jan 25 12:04:38 kernel: Mount cache hash table entries: 512 (order: 0, 4096 bytes)

Jan 25 12:04:38 kernel: Buffer cache hash table entries: 4096 (order: 2, 16384 bytes)

Jan 25 12:04:38 kernel: Page-cache hash table entries: 16384 (order: 4, 65536 bytes)

Jan 25 12:04:38 kernel: POSIX conformance testing by UNIFIX

Jan 25 12:04:38 kernel: Linux NET4.0 for Linux 2.4

Jan 25 12:04:38 kernel: Based upon Swansea University Computer Society NET3.039

Jan 25 12:04:38 kernel: Initializing RT netlink socket

Jan 25 12:04:38 kernel: Starting kswapd

Jan 25 12:04:38 kernel: Squashfs 2.2-r2 (released 2005/09/08) (C) 2002-2005 Phillip Lougher

Jan 25 12:04:38 kernel: Squashfs includes LZMA decompression support

Jan 25 12:04:38 kernel: pty: 2048 Unix98 ptys configured

Jan 25 12:04:38 kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled

Jan 25 12:04:38 kernel: ttyS00 at 0xff000003 (irq = 15) is a XScale UART

Jan 25 12:04:38 kernel: ttyS01 at 0xff001003 (irq = 13) is a XScale UART

Jan 25 12:04:38 kernel: ledman: Copyright (C) SnapGear, 2000-2003.

Jan 25 12:04:38 kernel: LED: registered ERASE switch on IRQ26

Jan 25 12:04:38 kernel: M41T11M6: Real Time Clock driver

Jan 25 12:04:38 kernel: snapdog: HW/SW watchdog timer for SnapGear/Others

Jan 25 12:04:38 kernel: SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256).

Jan 25 12:04:38 kernel: CSLIP: code copyright 1989 Regents of the University of California.

Jan 25 12:04:38 kernel: RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize

Jan 25 12:04:38 kernel: PPP generic driver version 2.4.2

Jan 25 12:04:38 kernel: PPP MPPE compression module registered

Jan 25 12:04:38 kernel: PPP Deflate Compression module registered

Jan 25 12:04:38 kernel: PPP BSD Compression module registered

Jan 25 12:04:38 kernel: Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky

Jan 25 12:04:38 kernel: SnapGear: MTD flash setup

Jan 25 12:04:38 kernel: cfi_cmdset_0001: Erase suspend on write enabled

Jan 25 12:04:38 kernel: 0: offset=0x0,size=0x20000,blocks=128

Jan 25 12:04:38 kernel: Using buffer write method

Jan 25 12:04:38 kernel: SnapGear: SnapGear Intel/StrataFlash device size = 16384K

Jan 25 12:04:38 kernel: Creating 4 MTD partitions on "SnapGear Intel/StrataFlash":

Jan 25 12:04:38 kernel: 0x00000000-0x00020000 : "SnapGear Boot Loader"

Jan 25 12:04:38 kernel: 0x00020000-0x00120000 : "SnapGear non-volatile configuration"

Jan 25 12:04:38 kernel: 0x00120000-0x01000000 : "SnapGear image"

Jan 25 12:04:38 kernel: 0x00000000-0x01000000 : "SnapGear Intel/StrataFlash"

Jan 25 12:04:38 kernel: IPv6 v0.8 (usagi-cvs) for NET4.0

Jan 25 12:04:38 kernel: IPv6 over IPv4 tunneling driver

Jan 25 12:04:38 kernel: NET4: Linux TCP/IP 1.0 for NET4.0

Jan 25 12:04:38 kernel: IP Protocols: ICMP, UDP, TCP, IGMP

Jan 25 12:04:38 kernel: IP: routing cache hash table of 4096 buckets, 32Kbytes

Jan 25 12:04:38 kernel: TCP: Hash tables configured (established 4096 bind 8192)

Jan 25 12:04:38 kernel: IPv4 over IPv4 tunneling driver

Jan 25 12:04:38 kernel: GRE over IPv4 tunneling driver

Jan 25 12:04:38 kernel: ip_conntrack version 2.1 (19239 buckets, 153912 max) - 436 bytes per conntrack

Jan 25 12:04:38 kernel: ip_tables: (C) 2000-2002 Netfilter core team

Jan 25 12:04:38 kernel: ipt_time loading

Jan 25 12:04:38 kernel: ipt_recent v0.3.1: Stephen Frost .  http://snowman.net/projects/ipt_recent/

Jan 25 12:04:38 kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

Jan 25 12:04:38 kernel: ip6_tables: (C) 2000-2002 Netfilter core team

Jan 25 12:04:38 kernel: registering ipv6 mark target

Jan 25 12:04:38 kernel: Ebtables v2.0 registered

Jan 25 12:04:38 kernel: NET4: Ethernet Bridge 008 for NET4.0

Jan 25 12:04:38 kernel: Bridge firewalling registered

Jan 25 12:04:38 kernel: 802.1Q VLAN Support v1.8 Ben Greear

Jan 25 12:04:38 kernel: Other stuff added by David S. Miller

Jan 25 12:04:38 kernel: NetWinder Floating Point Emulator V0.97 (double precision)

Jan 25 12:04:38 kernel: VFS: Mounted root (squashfs filesystem) readonly.

Jan 25 12:04:38 kernel: Freeing init memory: 244K

Jan 25 12:04:38 kernel: Warning: unable to open an initial console.

Jan 25 12:04:38 kernel: snapdog: user servicing enabled (short=60,long=300).

Jan 25 12:04:38 kernel: Clock: old time 1970/01/01 - 00:00:02 GMT

Jan 25 12:04:38 kernel: Clock: new time 2001/01/25 - 01:04:28 GMT

Jan 25 12:04:38 kernel: Module init.

Jan 25 12:04:38 kernel: ixp425_eth: 

Jan 25 12:04:38 kernel: Initializing IXP425 NPE Ethernet driver software v. 1.1+ 

Jan 25 12:04:38 kernel: ixp425_eth: CPU clock speed (approx) = 0 MHz

Jan 25 12:04:38 kernel: ixp425_eth: eth0 is using the PHY at address 5

Jan 25 12:04:38 kernel: ixp425_eth: eth1 is using the PHY at address 4

Jan 25 12:04:38 kernel: .97

Jan 25 12:04:38 kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.7.3-1 (EALG_MAX=255, AALG_MAX=15)

Jan 25 12:04:38 kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()

Jan 25 12:04:38 kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0

Jan 25 12:04:38 kernel: klips_debug: experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)

Jan 25 12:04:38 kernel: ip_conntrack_pptp version $Revision: 1.8 $ loaded

Jan 25 12:04:38 kernel: ip_nat_pptp version $Revision: 1.4 $ loaded

Jan 25 12:04:38 ifmond[108]: firewall was down and is now starting

Jan 25 12:04:39 proxy80[113]: web proxy started.

Jan 25 12:04:40 authd[111]: no Webwasher categories defined

Jan 25 12:04:40 ifmond[108]: netif-eth0 was down and is now starting

Jan 25 12:04:40 pptpd[114]: MGR: Manager process started

Jan 25 12:04:40 idb[115]: IDB starting

Jan 25 12:04:40 ifmond[108]: conn-eth0 was down and is now waiting-to-start

Jan 25 12:04:40 ifmond[108]: netif-eth1 was down and is now starting

Jan 25 12:04:40 ifmond[108]: conn-eth1 was down and is now waiting-to-start

Jan 25 12:04:40 ifmond[108]: netif-br0 was down and is now starting

Jan 25 12:04:41 snort-starter[109]: running snort on eth0.2

Jan 25 12:04:41 ifmond[108]: conn-br0 was down and is now waiting-to-start

Jan 25 12:04:41 ifmond[108]: conn-br0_0 was down and is now waiting-to-start

Jan 25 12:04:41 ifmond[108]: netif-br0 was starting and is now up

Jan 25 12:04:41 ifmond[108]: netif-eth1 was starting and is now up

Jan 25 12:04:41 ifmond[108]: firewall was starting and is now up

Jan 25 12:04:41 ifmond[108]: conn-eth1 was waiting-to-start and is now starting

Jan 25 12:04:42 kernel: ixp425_eth: eth1: Entering promiscuous mode

Jan 25 12:04:42 kernel: device eth1 entered promiscuous mode

Jan 25 12:04:42 kernel: br0: port 1(eth1) entering learning state

Jan 25 12:04:42 kernel: br0: port 1(eth1) entering forwarding state

Jan 25 12:04:42 kernel: br0: topology change detected, propagating

Jan 25 12:04:42 idb[115]: listening on tcp port 1

Jan 25 12:04:42 ifmond[108]: conn-eth1 was starting and is now up

Jan 25 12:04:42 idb[115]: listening on tcp port 11

Jan 25 12:04:42 idb[115]: listening on tcp port 15

Jan 25 12:04:42 idb[115]: listening on tcp port 79

Jan 25 12:04:42 idb[115]: listening on tcp port 111

Jan 25 12:04:42 idb[115]: listening on tcp port 119

Jan 25 12:04:42 idb[115]: listening on tcp port 143

Jan 25 12:04:42 idb[115]: listening on tcp port 540

Jan 25 12:04:42 idb[115]: listening on tcp port 635

Jan 25 12:04:42 idb[115]: listening on tcp port 1080

Jan 25 12:04:42 idb[115]: listening on tcp port 1524

Jan 25 12:04:42 idb[115]: listening on tcp port 2000

Jan 25 12:04:42 idb[115]: listening on tcp port 5742

Jan 25 12:04:42 idb[115]: listening on tcp port 6667

Jan 25 12:04:42 idb[115]: listening on tcp port 12345

Jan 25 12:04:42 idb[115]: listening on tcp port 12346

Jan 25 12:04:42 idb[115]: listening on tcp port 20034

Jan 25 12:04:42 idb[115]: listening on tcp port 31337

Jan 25 12:04:42 idb[115]: listening on tcp port 32771

Jan 25 12:04:42 idb[115]: listening on tcp port 32772

Jan 25 12:04:42 idb[115]: listening on tcp port 32773

Jan 25 12:04:42 idb[115]: listening on tcp port 32774

Jan 25 12:04:42 idb[115]: listening on tcp port 40421

Jan 25 12:04:42 idb[115]: listening on tcp port 49724

Jan 25 12:04:42 idb[115]: listening on tcp port 54320

Jan 25 12:04:42 idb[115]: listening on udp port 1

Jan 25 12:04:42 idb[115]: listening on udp port 7

Jan 25 12:04:42 idb[115]: listening on udp port 9

Jan 25 12:04:42 idb[115]: listening on udp port 69

Jan 25 12:04:42 idb[115]: listening on udp port 513

Jan 25 12:04:42 idb[115]: listening on udp port 635

Jan 25 12:04:42 idb[115]: listening on udp port 640

Jan 25 12:04:42 idb[115]: listening on udp port 641

Jan 25 12:04:42 idb[115]: listening on udp port 700

Jan 25 12:04:42 idb[115]: listening on udp port 31337

Jan 25 12:04:42 idb[115]: listening on udp port 32770

Jan 25 12:04:42 idb[115]: listening on udp port 32771

Jan 25 12:04:42 idb[115]: listening on udp port 32772

Jan 25 12:04:42 idb[115]: listening on udp port 32773

Jan 25 12:04:42 idb[115]: listening on udp port 32774

Jan 25 12:04:42 idb[115]: listening on udp port 54321

Jan 25 12:04:42 snort-starter[110]: running snort-inline

Jan 25 12:04:45 proxy80[113]: Failed to lock pid file '/var/run/config.lock' after 5 seconds (locked by 136 ): Resource temporarily unavailable

Jan 25 12:04:45 proxy80[113]: Pid 136 is /bin/firewall

Jan 25 12:04:45 proxy80[113]: Failed to acquire lock on /var/run/config.lock in 5 seconds 

Jan 25 12:04:45 kernel: proxy80[113] killed because of sig - 11

Jan 25 12:04:45 kernel: STACK DUMP:

Jan 25 12:04:45 kernel: 0xbffffd20: 00000000 00000000 40074078 00010000 00000000 00000000 00000000

Jan 25 12:04:45 kernel: 0xbffffd3c: bffffd84 00000000 00000000 40031748 40074078 00010000 00000000

Jan 25 12:04:45 kernel: 0xbffffd58: 00000000 00000000 00010000 00000000 00000000 00000000 bffffdc4

Jan 25 12:04:45 kernel: 0xbffffd74: 00000000 00000000 00008f58 40032984 40074078 00010000 00000000

Jan 25 12:04:45 kernel: 0xbffffd90: 00000000 00000000 00000000 0000ed60 40074088 00010000 00000000

Jan 25 12:04:45 kernel: 0xbffffdac: 00000000 00000000 40074088 00010000 00000000 00000000 00000000

Jan 25 12:04:45 kernel: 0xbffffdc8: bffffdf0 00017c3c 4014f4a8 0000d2e0 40074078 00010000 00000000

Jan 25 12:04:45 kernel: 0xbffffde4: 00000000 00000000 0000ed60 40074078 00010000 00000000 00000000

Jan 25 12:04:45 kernel: 0xbffffe00: 00000000 bffffe20 bffffe78 00000000 0000b478 bfffff98 bffffe78

Jan 25 12:04:45 kernel: 0xbffffe1c: bfffff1c 40074808 00010000 00000000 00000000 00000000 bfffff98

Jan 25 12:04:45 kernel: pc : [<00000000>]    lr : [<400316f8>]    Not tainted

Jan 25 12:04:45 kernel: sp : bffffd20  ip : 00000000  fp : 00000000

Jan 25 12:04:45 kernel: r10: 400858d4  r9 : 00000001  r8 : bfffff14

Jan 25 12:04:45 kernel: r7 : 00000000  r6 : 00000000  r5 : bffffd28  r4 : 400940f0

Jan 25 12:04:45 kernel: r3 : 400940e4  r2 : 0000e810  r1 : bffffd28  r0 : 400940f0

Jan 25 12:04:45 kernel: Flags: nzCv  IRQs on  FIQs on  Mode USER_32  Segment user

Jan 25 12:04:45 kernel: Control: 39FF  Table: 035DC000  DAC: 00000015

Jan 25 12:04:45 kernel: 00008000-00010000 r-xp 00000000 1f:02 743 /bin/proxy80

Jan 25 12:04:45 kernel: 00017000-00018000 rw-p 00007000 1f:02 743 /bin/proxy80

Jan 25 12:04:45 kernel: 00018000-00019000 rwxp 00000000 1f:02 743 

Jan 25 12:04:45 kernel: 40000000-40005000 r-xp 00000000 1f:02 1241509 /lib/ld-uClibc-0.9.27.so

Jan 25 12:04:45 kernel: 40005000-40006000 rw-p 00000000 1f:02 1241509 

Jan 25 12:04:45 kernel: 4000c000-4000d000 rw-p 00004000 1f:02 1241509 /lib/ld-uClibc-0.9.27.so

Jan 25 12:04:45 kernel: 4000d000-4006d000 r-xp 00000000 1f:02 1241572 /lib/libconfig.so

Jan 25 12:04:45 kernel: 4006d000-40074000 ---p 00060000 1f:02 1241572 

Jan 25 12:04:45 kernel: 40074000-40095000 rw-p 0005f000 1f:02 1241572 /lib/libconfig.so

Jan 25 12:04:45 kernel: 40095000-400b4000 r-xp 00000000 1f:02 1241889 /lib/libtcl.so

Jan 25 12:04:45 kernel: 400b4000-400bc000 ---p 0001f000 1f:02 1241889 

Jan 25 12:04:45 kernel: 400bc000-400be000 rw-p 0001f000 1f:02 1241889 /lib/libtcl.so

Jan 25 12:04:45 kernel: 400be000-400bf000 rw-p 00000000 1f:02 1241889 

Jan 25 12:04:45 kernel: 400bf000-400d2000 r-xp 00000000 1f:02 1241872 /lib/libsnapgear.so

Jan 25 12:04:45 kernel: 400d2000-400da000 ---p 00013000 1f:02 1241872 

Jan 25 12:04:45 kernel: 400da000-400db000 rw-p 00013000 1f:02 1241872 /lib/libsnapgear.so

Jan 25 12:04:45 kernel: 400db000-400de000 r-xp 00000000 1f:02 1241586 /lib/libcrypt-0.9.27.so

Jan 25 12:04:45 kernel: 400de000-400e5000 ---p 00003000 1f:02 1241586 

Jan 25 12:04:45 kernel: 400e5000-400e6000 rw-p 00002000 1f:02 1241586 /lib/libcrypt-0.9.27.so

Jan 25 12:04:45 kernel: 400e6000-400f7000 rw-p 00000000 1f:02 1241586 

Jan 25 12:04:45 kernel: 400f7000-400f9000 r-xp 00000000 1f:02 1241620 /lib/libdl-0.9.27.so

Jan 25 12:04:45 kernel: 400f9000-40100000 ---p 00002000 1f:02 1241620 

Jan 25 12:04:45 kernel: 40100000-40101000 rw-p 00001000 1f:02 1241620 /lib/libdl-0.9.27.so

Jan 25 12:04:45 kernel: 40101000-40147000 r-xp 00000000 1f:02 1241904 /lib/libuClibc-0.9.27.so

Jan 25 12:04:45 kernel: 40147000-4014e000 ---p 00046000 1f:02 1241904 

Jan 25 12:04:45 kernel: 4014e000-40151000 rw-p 00045000 1f:02 1241904 /lib/libuClibc-0.9.27.so

Jan 25 12:04:45 kernel: 40151000-40153000 rw-p 00000000 1f:02 1241904 

Jan 25 12:04:45 kernel: bfffe000-c0000000 rwxp fffff000 1f:02 1241904 

Jan 25 12:04:45 proxy80[154]: web proxy started.

Jan 25 12:04:45 kernel: eth0.2: add 33:33:00:00:00:01 mcast address to master interface

Jan 25 12:04:45 kernel: eth0.2: add 33:33:ff:0a:a0:3b mcast address to master interface

Jan 25 12:04:45 ifmond[108]: netif-eth0 was starting and is now up

Jan 25 12:04:46 ifmond[108]: conn-eth0 was waiting-to-start and is now starting

Jan 25 12:04:46 kernel: eth0.2: dev_set_promiscuity(master, 1)

Jan 25 12:04:46 kernel: ixp425_eth: eth0: Entering promiscuous mode

Jan 25 12:04:46 kernel: device eth0 entered promiscuous mode

Jan 25 12:04:46 kernel: device eth0.2 entered promiscuous mode

Jan 25 12:04:46 kernel: br0: port 2(eth0.2) entering learning state

Jan 25 12:04:46 kernel: br0: port 2(eth0.2) entering forwarding state

Jan 25 12:04:46 kernel: br0: topology change detected, propagating

Jan 25 12:04:46 kernel: eth0.2: add 01:00:5e:00:00:01 mcast address to master interface

Jan 25 12:04:46 ifmond[108]: conn-eth0 was starting and is now up

Jan 25 12:04:46 ifmond[108]: conn-br0 was waiting-to-start and is now starting

Jan 25 12:04:47 firewall[136]: executing firewall rules

Jan 25 12:04:47 ifmond[108]: conn-br0 was starting and is now up

Jan 25 12:04:47 ifmond[108]: conn-br0_0 was waiting-to-start and is now starting

Jan 25 12:04:47 ifmond[108]: conn-br0_0 was starting and is now up

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip_ptr==NULL) failed at dev.c(2596)

Jan 25 12:04:48 kernel: KERNEL: assertion (dev->ip6_ptr==NULL) failed at dev.c(2597)

Jan 25 12:04:48 kernel: Freeing alive device c3bf8000, eth1

Jan 25 12:04:49 authd[111]: blocked web request for http://www.vastdata.net/

Jan 25 12:04:49 authd[111]: src=178.162.148.27 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://www.vastdata.net/

Jan 25 12:04:50 ipsecctl[206]: restarting ipsec

Jan 25 12:04:50 kernel: eth1: no IPv6 routers present

Jan 25 12:04:52 kernel: br0: no IPv6 routers present

Jan 25 12:04:53 ipsec: [setup] Stopping FreeS/WAN IPSEC...

Jan 25 12:04:53 ipsec: [setup] ...FreeS/WAN IPSEC stopped

Jan 25 12:04:53 ipsec: [setup] Starting FreeS/WAN IPSEC...

Jan 25 12:04:53 ipsec: [setup] KLIPS debug `none'

Jan 25 12:04:54 authd[111]: blocked web request for http://www.vastdata.net/

Jan 25 12:04:54 authd[111]: src=184.154.142.114 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://www.vastdata.net/

Jan 25 12:04:55 firewall[138]: executing firewall rules

Jan 25 12:04:55 kernel: eth0: no IPv6 routers present

Jan 25 12:04:56 kernel: eth0.2: no IPv6 routers present

Jan 25 12:04:57 ipsec: [setup] Pluto debug `none'

Jan 25 12:04:58 Pluto[266]: Starting Pluto (FreeS/WAN Version )

Jan 25 12:04:58 Pluto[266]:   including X.509 patch (Version 0.9.13)

Jan 25 12:04:58 Pluto[266]:   including NAT-Traversal patch (Version 0.6)

Jan 25 12:04:58 Pluto[266]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)

Jan 25 12:04:58 Pluto[266]: Changing to directory '/etc/config'

Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssl_key.pem

Jan 25 12:04:58 Pluto[266]:   X.509 loaded: ssl_cert.pem

Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssh_host_rsa_key

Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: ssh_host_dsa_key

Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: id_rsa

Jan 25 12:04:58 Pluto[266]:   error in X.509 certificate: id_dsa

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssl_key.pem

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssl_cert.pem

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssh_host_rsa_key

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: ssh_host_dsa_key

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: id_rsa

Jan 25 12:04:58 Pluto[266]:   error in X.509 CRL: id_dsa

Jan 25 12:05:00 cron[119]: loading crontab file /etc/config/crontab

Then the traffic that I can't make any sense of - it seems the snapgear is downloading and uploading to outside addresses, not going to anything on our network.

Jan 25 12:07:56 authd[111]: blocked web request for http://l17.member.re3.yahoo.com/?.src=ym&login=

Jan 25 12:07:56 authd[111]: src=209.44.106.76 dest=66.196.86.196 code=11 user= cats= download=0 upload=0 uri=http://l17.member.re3.yahoo.com/?.src=ym&login=

Jan 25 12:08:02 authd[111]: blocked web request for http://www.vastdata.net/

Jan 25 12:08:02 authd[111]: src=184.154.142.114 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://www.vastdata.net/

Jan 25 12:08:05 proxy80[154]: Bad request 'HEAD /1.1^M TE: deflate,gzip;q=0.3^M Host: www.youtube.com^M User-Agent: Mozilla/5.0^M Connection: close^M Proxy-Connection: close^M ^M ', cannot get host name: 1

Jan 25 12:08:05 authd[111]: blocked web request for http://www.ticketmaster.com/event/0D00456FED455EC2

Jan 25 12:08:05 authd[111]: src=204.13.98.145 dest=118.214.196.199 code=11 user= cats= download=0 upload=0 uri=http://www.ticketmaster.com/event/0D00456FED455EC2

Jan 25 12:08:15 authd[111]: blocked web request for http://www.vastdata.net/

Jan 25 12:08:15 authd[111]: src=178.162.148.27 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://www.vastdata.net/

Jan 25 12:08:22 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

Jan 25 12:08:26 last message repeated 2 time(s)

Jan 25 12:08:26 authd[111]: blocked web request for http://ultrathinlightbox.com/proxyc/engine.php

Jan 25 12:08:26 authd[111]: src=63.223.79.96 dest=69.89.31.121 code=11 user= cats= download=0 upload=0 uri=http://ultrathinlightbox.com/proxyc/engine.php

Jan 25 12:08:27 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

Jan 25 12:08:27 authd[111]: blocked web request for http://vastdata.net/

Jan 25 12:08:27 authd[111]: src=178.162.131.33 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://vastdata.net/

Jan 25 12:08:28 snort: [1:472:4] ICMP redirect host [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} xx.xx.xx.xx -> xx.xx.xx.xx

Jan 25 12:08:32 last message repeated 1 time(s)

Jan 25 12:08:32 snort: [1:2466:6] NETBIOS SMB-DS IPC$ unicode share access [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} xx.xx.xx.xx(host on IPSEC LAN):1852 -> xx.xx.xx.xx(server on LAN address):445

Jan 25 12:08:46 authd[111]: blocked web request for http://www.cooleasy.com/azenv.php

Jan 25 12:08:46 authd[111]: src=24.27.19.155 dest=218.85.133.201 code=11 user= cats= download=0 upload=0 uri=http://www.cooleasy.com/azenv.php

Jan 25 12:08:47 authd[111]: blocked web request for http://www.proxyjudge.biz/az.php

Jan 25 12:08:47 authd[111]: src=24.27.19.155 dest=217.172.172.192 code=11 user= cats= download=0 upload=0 uri=http://www.proxyjudge.biz/az.php

Jan 25 12:08:50 authd[111]: blocked web request for http://www.myspace.com/music/services/player?action=getToken

Jan 25 12:08:50 authd[111]: src=24.176.248.13 dest=63.135.80.46 code=11 user= cats= download=0 upload=0 uri=http://www.myspace.com/music/services/player?action=getToken

Jan 25 12:09:06 authd[111]: blocked web request for http://vastdata.net/

Jan 25 12:09:06 authd[111]: src=178.162.131.33 dest=173.236.87.78 code=11 user= cats= download=0 upload=0 uri=http://vastdata.net/

Jan 25 12:09:08 authd[111]: blocked web request for http://www.seektwo.com/proxy-1.php

Jan 25 12:09:08 authd[111]: src=125.110.137.212 dest=75.126.197.218 code=11 user= cats= download=0 upload=0 uri=http://www.seektwo.com/proxy-1.php

Jan 25 12:09:08 authd[111]: blocked web request for http://www.seektwo.com/proxy-1.php

Jan 25 12:09:08 authd[111]: src=125.110.137.212 dest=75.126.197.218 code=11 user= cats= download=0 upload=0 uri=http://www.seektwo.com/proxy-1.php

Jan 25 12:09:09 authd[111]: blocked web request for http://www.yahoo.com/

Jan 25 12:09:09 authd[111]: src=125.110.137.212 dest=72.30.2.43 code=11 user= cats= download=0 upload=0 uri=http://www.yahoo.com/

Jan 25 12:09:09 authd[111]: blocked web request for http://www.yahoo.com/

Jan 25 12:09:09 authd[111]: src=125.110.137.212 dest=98.137.149.56 code=11 user= cats= download=0 upload=0 uri=http://www.yahoo.com/

Jan 25 12:09:09 snort: [1:2466:6] NETBIOS SMB-DS IPC$ unicode share access [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} xx.xx.xx.xx(host on IPSEC LAN):1873 -> xx.xx.xx.xx(server on LAN address):445


View the original article here

Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)