潜龙勿用,见龙在田
全部博文(540)
分类: LINUX
2009-05-20 17:05:37
martian source 222.73.xxx.255 from 222.73.xxx.173,
on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.173, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.173, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:13:33:66:08:00
martian source 222.73.xxx.255 from 222.73.xxx.176, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:1d:7d:3b:f4:77:08:00
martian source 222.73.xxx.255 from 222.73.xxx.221, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:90:0b:0e:b8:f2:08:00
martian source 222.73.xxx.255 from 222.73.xxx.174, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:15:17:60:33:24:08:00
martian source 222.73.xxx.255 from 222.73.xxx.165, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0a:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0b:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:1e:8c:c2:49:0b:08:00
martian source 192.168.1.255 from 192.168.1.165, on dev eth0
A
martian data packet is a network data packet that has an impossible source or
destination IP, such as a packet that claims to have come from the broadcast
address, 255.255.255.255. Another example of a martian packet would be if you
received a packet from 192.168.0.1 through your networks external gateway.
IPs in the range of 192.168.* are not routable through gateways, so this
situation should never happen. Usually martians are just the result of network
misconfigurations or glitches of some sort, but they can be caused by
deliberate mangling of the IP packet, such as when trying to hide the real
origin of the packets during an attack against a server. If you see just a few
martian packet messages then there probably isn’t anything to worry about, but
if you see lots of them then take a closer look.
Recent
kernels print out the link level header of the packet along with the martian
warning, and the header contains the destination and source MAC addresses. In
the example below the destination MAC (for the server “aries”) is
00:01:80:23:96:54, and the source MAC (the sender of the martian) is
00:e0:52:14:4d:9d. The “08:00″ at the end just indicates that this header is
from an ipv4 over ethernet packet.
Apr
29 09:33:54 aries kernel: martian source 207.44.228.62 from 80.3.32.5, on dev
eth0
Apr 29 09:33:42 aries kernel: ll header: 00:01:80:23:96:54:00:e0:52:14:4d:9d:08:00
If
you do see lots of martians being logged, or have some other reason to suspect
that the server is being attacked, a good place to look is in the Apache error
log file. You may be able to find log entries for the martian IP addresses that
record attack attempts. For example, here is an error_log entry recording an
attack attempt against the same server that logged the martian shown above.
[Mon
Apr 28 20:26:18 2003] [error] [client 80.3.32.5] request failed: erroneous
characters after protocol string: GET
/images/Smilies%20gold%2018×18/shocked.gif
(.x81cxf3×8axffxffxfdb4xd6a2×1171x94xd7xffxfbx92lxffx8dxe2×05
x18Gvx8caP;”xxe1qx8cx1ax078Kx1cx0exb1×87
So
don’t worry too much about the martians, but be on guard lest they actually
invade.
