On Wed, 04 Jun 2003 21:13:47 -0000, Ronald Belchez <meukoneat_private> said: > --logs starts here--- > denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet > denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet Somebody's got a b0rked network load balancer? Some of these will do ICMP PING or DNS queries from multiple servers to figure out which one is "closest". But in that case, you'll usually see a flurry of 2-5 packets from different places at the same time... Or maybe you got a user that typed your *mail* server into his laptop's config, right where it says "DNS Server address"... and they're on the road and b0rked. I've seen both of those scenarios before. In fact, unless there's clear and obvious signs (like a malware payload), I no longer even *think* about a "merely odd" logfile trace in terms of "trojan/worm" until I've ruled out simple user stupidity....
This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 08:46:01 PDT