Damn that's a good idea ray. Just as a general tip. Never thought of that.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of -ray Sent: Tuesday, May 03, 2005 10:23 PM To: [email protected] Subject: Re: [brlug-general] polite rant (was: Webhosting,suggestions?) On Tue, 3 May 2005, jr_G-man wrote: > In that vain...anybody care to help me figure out what keeps hammering my > firewall on port 37830? Hard to say... are you seeing TCP SYN connects like this: (the big S after the ip means SYN bit is set. the big R is RST (reset)) andrea:~# tcpdump -npi eth0 port 37830 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:16:39.153566 IP 192.168.2.70.34351 > 192.168.2.4.37830: S 2308344735:2308344735(0) win 5840 <mss 1460,sackOK,timestamp 168616150 0,nop,wscale 2> 09:16:39.166511 IP 192.168.2.4.37830 > 192.168.2.70.34351: R 0:0(0) ack 2308344736 win 0 It could be scanning systems for backdoors.... if it is using any type of plain text protocol, you can let it connect using netcat and see what it sends: nc -l -p 37830 > junk.txt After a successful connect, nc will exit, then you may have some clues in junk.txt. ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _______________________________________________ General mailing list [email protected] http://brlug.net/mailman/listinfo/general_brlug.net
