Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Undertaker]

Hi,

i have an issue with amule. Everytime i am running it, the log of my router shows these martian source messages:

Code: [Select]

Dec 16 11:58:39 HAL9000 kernel: martian source 192.168.0.6 from 192.168.1.2, on dev ppp0
Dec 16 11:58:39 HAL9000 kernel: ll header: 45:00:00:28:fb:65:40:00:72:06:8b:11:c0:a8:01:02:c0:a8:00:06:0c:1e
Dec 16 11:58:56 HAL9000 kernel: martian source 192.168.0.6 from 192.168.1.2, on dev ppp0
Dec 16 11:58:56 HAL9000 kernel: ll header: 45:00:00:28:fd:84:40:00:72:06:88:f2:c0:a8:01:02:c0:a8:00:06:0c:1e
Dec 16 11:59:30 HAL9000 kernel: martian source 192.168.0.6 from 192.168.1.2, on dev ppp0
Dec 16 11:59:30 HAL9000 kernel: ll header: 45:00:00:28:01:eb:40:00:72:06:84:8c:c0:a8:01:02:c0:a8:00:06:0c:1e
Dec 16 12:00:37 HAL9000 kernel: martian source 192.168.0.6 from 192.168.1.2, on dev ppp0
Dec 16 12:00:37 HAL9000 kernel: ll header: 45:00:00:28:0b:07:40:00:72:06:7b:70:c0:a8:01:02:c0:a8:00:06:0c:1e
Dec 16 12:02:37 HAL9000 kernel: martian source 192.168.0.6 from 192.168.1.2, on dev ppp0
Dec 16 12:02:37 HAL9000 kernel: ll header: 45:00:00:28:1c:99:40:00:72:06:69:de:c0:a8:01:02:c0:a8:00:06:0c:1e192.168.0.6 is the ip of the box running amule and ppp0 is the internet-interface on my router.
There is no box on my network with 192.168.1.2 as ip.
I dont know exactly what happens there, but it seems like that there coming packets from the
internet with ips from my local network as sender.

Whats going on here?

[phoenix]

From http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-linux/2003-05/0002.html:
(you should read the whole thread)

"From a FAQ:

What does "kernel: martian source aabbccdd for 11223344, dev eth0" mean?
--
These are packets that Linux does not expect from the direction they came
from (i.e. packets from internal hosts coming in on the external interface).
The cause is probably a misconfigured machine on your LAN.
You can turn off logging those packets via
/proc/sys/net/ipv4/conf/*interface*/log_martians
which is documented in /usr/src/linux/Documentation/proc.txt"

Google has a lot about it, including on how to ignore or stop logging these messages:
http://www.google.com/search?client=opera&rls=en&q=martian+source+kernel&sourceid=opera&ie=utf-8&oe=utf-8

Either someone is trying to gain access to your internal network by spoofing packets or you have a misconfigured machine.

[Undertaker]

I dont think that its a misconfigured machine on my network because the packets coming from
ppp0 and not from eth0.

So its obviously ip-spoofing. Maybe someone is looking for people running e/aMule and
trying to hack them?

[phoenix]

Originally posted by Undertaker
I dont think that its a misconfigured machine on my network because the packets coming from
ppp0 and not from eth0.

So its obviously ip-spoofing. Maybe someone is looking for people running e/aMule and
trying to hack them?

No, most likely someone in a neigbour net hacking his neighbours. You see, properly configured routers should not route martian addresses to the internet, so an address like this would not go far. Must be someone really close to you, in the network sense.

[Undertaker]

Yes, that makes sense.