Hello!
This is happening for few days already, and I can't figure out what it
is:
==[ IPs are changed ]=====
...
Jan 4 16:34:39 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60165 F=0x4000 T=27
SYN (#7)
Jan 4 16:34:42 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60421 F=0x4000 T=27
SYN (#7)
Jan 4 16:34:49 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63237 F=0x4000 T=27
SYN (#7)
Jan 4 16:35:01 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63749 F=0x4000 T=27
SYN (#7)
Jan 4 16:35:44 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30726 F=0x4000 T=121
SYN (#7)
Jan 4 16:35:47 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30982 F=0x4000 T=123
SYN (#7)
Jan 4 16:35:53 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=31238 F=0x4000 T=123
SYN (#7)
...
==========================
The "remote" side (university) is less than helpful, they also have a
firewall that doesn't let anything in (so I can't try to 'identify' the
offender:) - it's better to ask a question in here. Does anybody know
what kind of traffic this is? [the hosts generating the traffic do have
valid IPs, and are resolvable]. I also couldn't find anything related to
these ports on the trojan lists.
It starts in the morning (usually around 09am), and happens randomly few
times per day. First thought that came to mind is that some Win95/98 box
is generating that traffic when it is rebooted (or turned on).
Any ideas of which software might cause this?
Thanks in advance.
Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time
Received on Jan 04 2000
Intro
