1 |
Richard Fish <bigfish <at> asmallpond.org> writes: |
2 |
|
3 |
|
4 |
> On 8/11/06, James <wireless <at> tampabay.rr.com> wrote: |
5 |
> > myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 |
6 |
> > hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 |
7 |
|
8 |
> Assuming you haven't mixed up the myIP and hackIP parts, this means |
9 |
> something on *your* system/network is trying to contact an smtp server |
10 |
> on what you are calling hackIP. TCP/IP connections are initiated with |
11 |
> a SYN packet. If they are accepted, you get a SYN,ACK packet back. |
12 |
> If they are rejected, you get a RST,ACK back. |
13 |
|
14 |
Sorry, I transposed the entries. From Wireshark I took my time to copy |
15 |
more accurately |
16 |
: |
17 |
Source dest. proto info |
18 |
24.199.244.157 myIP TCP 55634 > smtp (SYN) Seq=0 Len=0 MSS=1460 |
19 |
myIP 24.199.244.157 TCP smtp > 55634 (RST,ACK) Seq=0 Ack=1 Win=0 Len=0 |
20 |
|
21 |
> Running 'host <hackIP>' might prove enlightening. |
22 |
|
23 |
# host 24.199.244.157 |
24 |
157.244.199.24.in-addr.arpa domain name pointer |
25 |
rrcs-24-199-244-157.midsouth.biz.rr.com. |
26 |
|
27 |
|
28 |
Remember, the entire network, except the firewall was physically |
29 |
disconnected. I did not save the Wireshark session at that time, |
30 |
|
31 |
The lines above seen today, look very similar to the |
32 |
packet storm the session last night..... |
33 |
|
34 |
However, I'll try to save it, the next time it explodes. The |
35 |
lines above are merely suspicious to me. |
36 |
It does look like part of RoadRunner, but last night the |
37 |
spam was in high gear, until I shut down the link.... |
38 |
|
39 |
thoughts? |
40 |
|
41 |
|
42 |
James |
43 |
|
44 |
|
45 |
|
46 |
-- |
47 |
gentoo-user@g.o mailing list |