On Sun, 20 Oct 2002 steveo@syslang.net wrote: =>I am getting syslog messages that look like this: => =>Oct 20 18:53:36 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147 =>DST=216.52.13.91 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP =>SPT=43931 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0 => =>I am only getting these messages because I have outbound packets with =>destination port 7 blocked. I think I may have been compromised in some =>way, just because the packets are outbound. They seem to come in groups of =>6 at seemingly random intervals and seem to be focused on the following =>addresses: => 216.52.13.9[014] and 209.204.62.150 => =>I have a number of questions about how to deal with this issue: => =>1. How can I find out what program is running to produce this? =>2. Is anyone else getting messages like this in their syslog? (You would => need your firewall to block appropriately to see this.) =>3. Is there any way that I can get access to those packets and see what => the message is that they are trying to send? => =>Nothing really bad has happened yet, but I'm getting nervous. => =>Thanks everyone. I am running spamassassin which hooks up to Vipul's Razor. Razor uses port 7 to determine who is the closest server to access. It uses TCP port 7 because icmp requires root priviledge to access raw sockets. Problem solved. :-) -- -Time flies like the wind. Fruit flies like a banana. Stranger things have - -happened but none stranger than this. Does your driver's license say Organ -Donor?Black holes are where God divided by zero. Listen to me! We are all- -individuals! What if this weren't a hypothetical question? steveo@syslang.net -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
