On Wed, 31 Oct 2001 16:11:43 +0800, Bradley Filmer <bfilmerat_private> said: > I am curious as to what this might be, I am seeing hits in my iptables > logs after visiting certain websites.. mainly > > Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number" > SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46 > ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN > URGP=0 > This is netbsd.org Source port 80, an ACK/SYN - looks like you logged the second of a 3-packet handshake from your SYN sent to netbsd.org. 33270 was an ephemeral port picked by your browser on the fly. Sequence: you:33270 -> netbsd.org:80 SYN you:33270 <- netbsd.org:80 SYN+ACK (the packet you logged) you:33270 -> netbsd.org:80 ACK > Oct 30 11:35:47 stealth kernel: IN=eth0 OUT= MAC= "long number" > SRC=64.58.76.98 DST=my.adr.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=48 > ID=9741 DF PROTO=TCP SPT=443 DPT=33270 WINDOW=16560 RES=0x00 ACK SYN > URGP=0 > This is yahoo groups. Similarly, port 443 is https: (http over SSL). > Oct 31 09:01:41 stealth kernel: IN=eth0 OUT= MAC= "long number" > SRC=204.152.186.171 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=51 > ID=23555 PROTO=TCP SPT=80 DPT=33270 WINDOW=32768 RES=0x00 ACK SYN URGP=0 > This is mysql.org More of same. > Always 5 hits and I cant tell you how long after. I have checked port I can't comment on "always 5 hits" because you don't show the logs. Perhaps you're filtering something incorrectly, causing a retransmit of the SYN+ACK packet at the far end. > Looking for paranoia in all the right places And then some, based on what I see. Maybe seeing all 5 hits might show something I'm not seeing here, but I'm guessing that it's a broken iptables config logging things that it shouldnt. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 09:52:03 PST