| 1 |
Richard Fish <bigfish <at> asmallpond.org> writes: |
| 2 |
|
| 3 |
|
| 4 |
> On 8/11/06, James <wireless <at> tampabay.rr.com> wrote: |
| 5 |
> > myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 |
| 6 |
> > hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 |
| 7 |
|
| 8 |
> Assuming you haven't mixed up the myIP and hackIP parts, this means |
| 9 |
> something on *your* system/network is trying to contact an smtp server |
| 10 |
> on what you are calling hackIP. TCP/IP connections are initiated with |
| 11 |
> a SYN packet. If they are accepted, you get a SYN,ACK packet back. |
| 12 |
> If they are rejected, you get a RST,ACK back. |
| 13 |
|
| 14 |
Sorry, I transposed the entries. From Wireshark I took my time to copy |
| 15 |
more accurately |
| 16 |
: |
| 17 |
Source dest. proto info |
| 18 |
24.199.244.157 myIP TCP 55634 > smtp (SYN) Seq=0 Len=0 MSS=1460 |
| 19 |
myIP 24.199.244.157 TCP smtp > 55634 (RST,ACK) Seq=0 Ack=1 Win=0 Len=0 |
| 20 |
|
| 21 |
> Running 'host <hackIP>' might prove enlightening. |
| 22 |
|
| 23 |
# host 24.199.244.157 |
| 24 |
157.244.199.24.in-addr.arpa domain name pointer |
| 25 |
rrcs-24-199-244-157.midsouth.biz.rr.com. |
| 26 |
|
| 27 |
|
| 28 |
Remember, the entire network, except the firewall was physically |
| 29 |
disconnected. I did not save the Wireshark session at that time, |
| 30 |
|
| 31 |
The lines above seen today, look very similar to the |
| 32 |
packet storm the session last night..... |
| 33 |
|
| 34 |
However, I'll try to save it, the next time it explodes. The |
| 35 |
lines above are merely suspicious to me. |
| 36 |
It does look like part of RoadRunner, but last night the |
| 37 |
spam was in high gear, until I shut down the link.... |
| 38 |
|
| 39 |
thoughts? |
| 40 |
|
| 41 |
|
| 42 |
James |
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
-- |
| 47 |
gentoo-user@g.o mailing list |
Archives