Am I on my own?
--
[1][email protected]
On Mon, Oct 15, 2012, at 08:04, [2][email protected] wrote:
I seem to have picked up a bug, but am unable to trace it. Lots of
these:
[55415.513723] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28176 DF
PROTO=TCP SPT=55445 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0
[55420.348527] Shorewall:fw2net:DROP:IN= OUT=wlan0 SRC=192.168.1.1
DST=97.107.134.150 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27353 DF
PROTO=TCP SPT=55447 DPT=3333 WINDOW=14600 RES=0x00 SYN URGP=0
My shorewall is very tight, only allowing the absolute minimum in/out.
This destination IP traces to some guy's home internet account in
Chicago. (I'm in Shoreline, WA) No idea who he is or what this is
about, but it started yesterday. It's possible that this is to do with
one of the many Konqueror browser windows I have open and might be
innocuous, but it does look suspicious.
I ran nmap on this guy's IP and he has port 80 open (minimal Apache
setup), SSH, 3000, and 3333. I tried to run openvas, but it's
currently
busted.
I ran netcat to watch for this port, but it was blind when the next
wave
came, I suspect because it listens for the source port rather than the
destination. Same with Wireshark, which I also had listening. Now I
have Wireshark listening for the destination IP, but nothing yet.
So far, Shorewall has been the only thing that's seen these
transactions. My systems are very tight and are behind three wireless
routers in series. The only way I can think of that I may have caught
anything is through Konqueror, or email; I always run Konqi as user
and
I'm careful with kmail, opening emails as text and not opening
suspicious attachments.
Anyone have any idea what's going on here?
--
[3]http://www.fastmail.fm - One of many happy users:
[4]http://www.fastmail.fm/docs/quotes.html
References
1. mailto:merc1984@f
2. mailto:[email protected]
3. http://www.fastmail.fm/
4. http://www.fastmail.fm/docs/quotes.html
--
http://www.fastmail.fm - IMAP accessible web-mail
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
