Richard Fish <bigfish <at> asmallpond.org> writes:
> On 8/11/06, James <wireless <at> tampabay.rr.com> wrote: > > myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 > > hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 > Assuming you haven't mixed up the myIP and hackIP parts, this means > something on *your* system/network is trying to contact an smtp server > on what you are calling hackIP. TCP/IP connections are initiated with > a SYN packet. If they are accepted, you get a SYN,ACK packet back. > If they are rejected, you get a RST,ACK back. Sorry, I transposed the entries. From Wireshark I took my time to copy more accurately : Source dest. proto info 24.199.244.157 myIP TCP 55634 > smtp (SYN) Seq=0 Len=0 MSS=1460 myIP 24.199.244.157 TCP smtp > 55634 (RST,ACK) Seq=0 Ack=1 Win=0 Len=0 > Running 'host <hackIP>' might prove enlightening. # host 24.199.244.157 157.244.199.24.in-addr.arpa domain name pointer rrcs-24-199-244-157.midsouth.biz.rr.com. Remember, the entire network, except the firewall was physically disconnected. I did not save the Wireshark session at that time, The lines above seen today, look very similar to the packet storm the session last night..... However, I'll try to save it, the next time it explodes. The lines above are merely suspicious to me. It does look like part of RoadRunner, but last night the spam was in high gear, until I shut down the link.... thoughts? James -- gentoo-user@gentoo.org mailing list
