On Friday 28 May 2004 17:59, Jonas Meurer wrote: > with a running and working firehol firewall, I still > get these messages in syslog: > > May 28 17:51:06 diana50 kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=62.99.78.133 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=46176 DF PROTO=TCP > SPT=3372 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:07 diana50 > kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=22801 DF PROTO=TCP > SPT=3934 DPT=5554 WINDOW=16384 RES=0x00 SYN URGP=0 May 28 17:51:08 diana50 > kernel: IN-interface1:IN=eth0 OUT= > MAC=00:50:fc:e4:e4:d4:00:90:69:cd:d4:1f:08:00 SRC=213.10.237.114 > DST=62.75.129.11 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=23315 DF PROTO=TCP > SPT=4192 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=29184 > > in my eyes this looks like some tiny people (62.99.78.133 > and 213.10.237.114) requested something on my server > diana50 (62.75.129.11) over TCP, but on which port?
You can find the port number they tried for at DPT=nnnn (DPT = Destination Port). In your example it's port 445 in the first, 5554 in the second and 9898 in the last sample. Bye, Christian
