On Thu, August 3, 2006 10:27 pm, Paul wrote:>
> OK, Something wacky. I'm getting many, many of these, it just keeps
> building:
>
> --snip--
> netstat -vat:
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:57015
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26377
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64279
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:27807
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:29095
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:47009
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41369
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:45120
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:63145
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:4027
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11361
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:53867
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64779
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:20063
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43209
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44629
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:49010
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3974
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6822
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:54650
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:43689
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:35714
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:3381
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:48516
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52141
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:11431
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50562
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:17152
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:10535
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:18219
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7582
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60773
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:46995
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60185
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:34357
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:41346
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:1135
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:64816
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:16062
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:7499
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60087
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:33579
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:6757
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:8912
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:50510
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:44317
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:2149
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:294
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:60112
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:52569
> SYN_RECV
> tcp 0 0 192.168.103.99:http statusurl.e-gold.com:26452
> SYN_RECV
> --snip--
>
> So, seeing this is weird activity, I wanna see if I can put a stop to it.
> So I added to iptables:
> -A INPUT -s 209.200.128.0/255.255.192.0 -j DROP
> -A OUTPUT -o eth0 -p tcp -m tcp -d 209.200.128.0/255.255.192.0 -j DROP
>
> I restarted httpd and still get the same thing. WTF???
OK, I figured it out. The IP address that was attacking is actually
63.240.230.5. nslookup on the above gives me 209.200.169.10. I really
dislike reverse lookups in logs and such. &*^(*%$%*&^_