On Thu, August 3, 2006 10:27 pm, Paul wrote:
OK, Something wacky. I'm getting many, many of these, it just keeps building:
--snip-- netstat -vat: tcp 0 0 192.168.103.99:http statusurl.e-gold.com:57015 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26377 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64279 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:27807 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:29095 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:47009 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41369 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:45120 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:63145 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:4027 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11361 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:53867 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64779 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:20063 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43209 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44629 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:49010 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3974 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6822 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:54650 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43689 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:35714 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3381 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:48516 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52141 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11431 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50562 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:17152 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:10535 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:18219 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7582 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60773 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:46995 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60185 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:34357 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41346 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:1135 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64816 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:16062 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7499 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60087 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:33579 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6757 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:8912 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50510 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44317 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:2149 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:294 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60112 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52569 SYN_RECV tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26452 SYN_RECV --snip--
So, seeing this is weird activity, I wanna see if I can put a stop to it. So I added to iptables: -A INPUT -s 209.200.128.0/255.255.192.0 -j DROP -A OUTPUT -o eth0 -p tcp -m tcp -d 209.200.128.0/255.255.192.0 -j DROP
I restarted httpd and still get the same thing. WTF???
OK, I figured it out. The IP address that was attacking is actually 63.240.230.5. nslookup on the above gives me 209.200.169.10. I really dislike reverse lookups in logs and such. &*^(*%$%*&^_