On Thu, August 3, 2006 10:27 pm, Paul wrote: > > OK, Something wacky. I'm getting many, many of these, it just keeps > building: > > --snip-- > netstat -vat: > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:57015 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26377 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64279 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:27807 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:29095 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:47009 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41369 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:45120 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:63145 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:4027 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11361 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:53867 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64779 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:20063 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43209 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44629 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:49010 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3974 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6822 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:54650 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43689 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:35714 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3381 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:48516 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52141 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11431 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50562 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:17152 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:10535 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:18219 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7582 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60773 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:46995 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60185 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:34357 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41346 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:1135 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64816 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:16062 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7499 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60087 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:33579 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6757 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:8912 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50510 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44317 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:2149 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:294 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60112 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52569 > SYN_RECV > tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26452 > SYN_RECV > --snip-- > > So, seeing this is weird activity, I wanna see if I can put a stop to it. > So I added to iptables: > -A INPUT -s 209.200.128.0/255.255.192.0 -j DROP > -A OUTPUT -o eth0 -p tcp -m tcp -d 209.200.128.0/255.255.192.0 -j DROP > > I restarted httpd and still get the same thing. WTF??? OK, I figured it out. The IP address that was attacking is actually 63.240.230.5. nslookup on the above gives me 209.200.169.10. I really dislike reverse lookups in logs and such. &*^(*%$%*&^_