'Re: non-routable logs entries?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: non-routable logs entries?
From:       "Manfred Bartz" <mbartz () xix ! com>
Date:       2001-02-14 7:34:27
[Download RAW message or body]

Ethan <old5chool@softhome.net> writes:

> I have somebody out there hitting me from a webserver?  how can one
> track where these hits are coming from.  this dude has hit every 
> possible port i have...grrr:
> 
> Feb 14 00:29:58 localhost kernel: Blocked Connection ppp0:  IN=ppp0 OUT= MAC= \
> SRC=10.1.35.2 DST=209.245.103.183 LEN=207 TOS=0x00 PREC=0x00 TTL=51 ID=45320 DF \
>                 PROTO=TCP SPT=80 DPT=38138 WINDOW=16060 RES=0x00 ACK PSH FIN URGP=0 \
>                 
> Feb 14 00:30:02 localhost kernel: Blocked Connection ppp0:  IN=ppp0 OUT= MAC= \
> SRC=10.1.35.2 DST=209.245.103.183 LEN=207 TOS=0x00 PREC=0x00 TTL=51 ID=46287 DF \
>                 PROTO=TCP SPT=80 DPT=38142 WINDOW=16060 RES=0x00 ACK PSH FIN URGP=0 \
>                 
> Feb 14 00:30:10 localhost kernel: Blocked Connection ppp0:  IN=ppp0 OUT= MAC= \
> SRC=10.1.35.2 DST=209.245.103.183 LEN=207 TOS=0x00 PREC=0x00 TTL=51 ID=48121 DF \
>                 PROTO=TCP SPT=80 DPT=38141 WINDOW=16060 RES=0x00 ACK PSH FIN URGP=0 \
>                 
> Feb 14 00:30:16 localhost kernel: Blocked Connection ppp0:  IN=ppp0 OUT= MAC= \
> SRC=10.1.35.2 DST=209.245.103.183 LEN=207 TOS=0x00 PREC=0x00 TTL=51 ID=49175 DF \
>                 PROTO=TCP SPT=80 DPT=38146 WINDOW=16060 RES=0x00 ACK PSH FIN URGP=0 \
>                 
> Feb 14 00:30:17 localhost kernel: Blocked Connection ppp0:  IN=ppp0 OUT= MAC= \
> SRC=10.1.35.2 DST=209.245.103.183 LEN=207 TOS=0x00 PREC=0x00 TTL=51 ID=49282 DF \
> PROTO=TCP SPT=80 DPT=38145 WINDOW=16060 RES=0x00 ACK PSH FIN URGP=0  
> any ideas how to bust this loser in the future?

This looks suspiciously like responses you received after accessing a
web server who's IP address you have blocked.

Note that the SYN flag is not set, so this is not a connection
establishment.

Curiously, the source address is in the private range of 10.*.*.*
This would have to be a server in your own or in your ISP's private network.

-- 
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic