fschaeffler
New Member
Ich habe versucht nach Details der Logs wie z.B. 'central/motorola-11-voice20000-1600-bpi.cm' zu googlen, aber ich hatte keinen einzige Treffer. So hier meine Frage. Könnte es sich hier um ein infiziertes Android Telefon handeln?
Was sagen mir diese logs eigentlich? Ausser der Tatsache, dass dieser Request geblockt wurde und immer noch mit einer Rate von 4 Request / Minute geblockt wird.
### Client:
IP: 192.168.<HIDDEN>.<HIDDEN>
MAC: cc:fa:00:a7:**:**
Name: android-dcd79d0cd<HIDDEN>
### Filter logs:
Feb 26 12:42:37 tmh-firewall pf: 00:00:02.823886 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 56167, offset 0, flags [DF], proto TCP (6), length 79)
Feb 26 12:42:37 tmh-firewall pf: 192.168.<HIDDEN>.<HIDDEN>.47438 > 173.194.44.31.443: Flags [P.], cksum 0xa8b1 (correct), ack 3479133114, win 264, options [nop,nop,TS val 1895616 ecr 571900440], length 27
Feb 26 12:42:27 tmh-firewall pf: 00:00:00.958737 rule 45/0(match): block in on re0: (tos 0x0, ttl 255, id 19360, offset 0, flags [none], proto UDP (17), length 456)
Feb 26 12:42:27 tmh-firewall pf: 10.220.112.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 428, hops 1, xid 0x1773e7ea, Flags [Broadcast]
Feb 26 12:42:27 tmh-firewall pf: Your-IP 10.220.123.137
Feb 26 12:42:27 tmh-firewall pf: Server-IP 195.234.128.44
Feb 26 12:42:27 tmh-firewall pf: Gateway-IP 10.220.112.1
Feb 26 12:42:27 tmh-firewall pf: Client-Ethernet-Address 00:14:e8:a6:61:aa
Feb 26 12:42:27 tmh-firewall pf: file "central/motorola-11-voice20000-1600-bpi.cm" [|bootp]
Feb 26 12:42:27 tmh-firewall pf: 00:00:00.095688 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 54655, offset 0, flags [DF], proto TCP (6), length 79)
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.439478 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 49569, offset 0, flags [DF], proto TCP (6), length 603)
Feb 26 12:54:20 tmh-firewall pf: 192.168.<HIDDEN>.<HIDDEN>.32821 > 173.194.70.95.443: Flags [P.], ack 3906605826, win 408, options [nop,nop,TS val 1965844 ecr 1110537749], length 551
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.413795 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
(xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
nt FQDN))
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000031 rule 3/0(match): block in on bridge0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 sol
icit (xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN))
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000010 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
(xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
nt FQDN))
Was sagen mir diese logs eigentlich? Ausser der Tatsache, dass dieser Request geblockt wurde und immer noch mit einer Rate von 4 Request / Minute geblockt wird.
### Client:
IP: 192.168.<HIDDEN>.<HIDDEN>
MAC: cc:fa:00:a7:**:**
Name: android-dcd79d0cd<HIDDEN>
### Filter logs:
Feb 26 12:42:37 tmh-firewall pf: 00:00:02.823886 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 56167, offset 0, flags [DF], proto TCP (6), length 79)
Feb 26 12:42:37 tmh-firewall pf: 192.168.<HIDDEN>.<HIDDEN>.47438 > 173.194.44.31.443: Flags [P.], cksum 0xa8b1 (correct), ack 3479133114, win 264, options [nop,nop,TS val 1895616 ecr 571900440], length 27
Feb 26 12:42:27 tmh-firewall pf: 00:00:00.958737 rule 45/0(match): block in on re0: (tos 0x0, ttl 255, id 19360, offset 0, flags [none], proto UDP (17), length 456)
Feb 26 12:42:27 tmh-firewall pf: 10.220.112.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 428, hops 1, xid 0x1773e7ea, Flags [Broadcast]
Feb 26 12:42:27 tmh-firewall pf: Your-IP 10.220.123.137
Feb 26 12:42:27 tmh-firewall pf: Server-IP 195.234.128.44
Feb 26 12:42:27 tmh-firewall pf: Gateway-IP 10.220.112.1
Feb 26 12:42:27 tmh-firewall pf: Client-Ethernet-Address 00:14:e8:a6:61:aa
Feb 26 12:42:27 tmh-firewall pf: file "central/motorola-11-voice20000-1600-bpi.cm" [|bootp]
Feb 26 12:42:27 tmh-firewall pf: 00:00:00.095688 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 54655, offset 0, flags [DF], proto TCP (6), length 79)
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.439478 rule 5/0(match): block in on em0_vlan112: (tos 0x0, ttl 64, id 49569, offset 0, flags [DF], proto TCP (6), length 603)
Feb 26 12:54:20 tmh-firewall pf: 192.168.<HIDDEN>.<HIDDEN>.32821 > 173.194.70.95.443: Flags [P.], ack 3906605826, win 408, options [nop,nop,TS val 1965844 ecr 1110537749], length 551
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.413795 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
(xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
nt FQDN))
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000031 rule 3/0(match): block in on bridge0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 sol
icit (xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN))
Feb 26 12:54:20 tmh-firewall pf: 00:00:00.000010 rule 3/0(match): block in on em0: (hlim 1, next-header UDP (17) payload length: 107) fe80::e524:c7e1:e886:dd29.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
(xid=b52a0a (elapsed time 300) (client ID hwaddr/time type 1 time 411801340 000c29e45988) (IA_NA IAID:234884137 T1:0 T2:0) (Client FQDN) (vendor class) (option request DNS name DNS vendor-specific info Clie
nt FQDN))