I think I might have a possible breakin.
Steven W. Orr
steveo at syslang.net
Sat Oct 5 13:04:15 EDT 2002
I'm getting a *lot* of hits on my firewall.
Oct 5 12:43:33 saturn kernel: TCP reject IN= OUT=eth0 SRC=209.6.241.147
DST=194.109.217.74 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=64255 DF PROTO=TCP
SPT=38312 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
I happen to be the 147 guy and I can totally reproduce the firewall hit by
doing
telnet 194.109.217.74 7
(My firewall is blocking outgoing packets which target other people's port
7.)
Right now I have a couple of windows running script in which I have
lsof -i:7 -r 1
running. But I'm not getting anything at all and it's been running for a
couple of hours. I also ran chkrootkit and got nothing. I'm wide open to
suggestions. Also, you can see the firewall hits from the previous day
here: http://steveo2.syslang.net:8080/fwsummary.html
The goal is to see what program is running that is producing these packets
trying to get out.
Help!!!
--
-Time flies like the wind. Fruit flies like a banana. Stranger things have -
-happened but none stranger than this. Does your driver's license say Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are all-
-individuals! What if this weren't a hypothetical question? steveo at syslang.net
More information about the gnhlug-discuss
mailing list