All, I just recently unsubscribed, so could you reply to me directly as well please. This is the output of shorewall show connections. Does this look like a port scanner is running on 192.168.0.8? The output of show connections is huge - 50M. Shorewall v1.2.12 Linux 2.4.18 tcp 6 326974 ESTABLISHED src=192.168.0.8 dst=192.168.95.151 sport=57285 dport=80 [UNREPLIED] src=192.168.95.151 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326891 ESTABLISHED src=192.168.0.8 dst=192.168.79.153 sport=57285 dport=80 [UNREPLIED] src=192.168.79.153 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326766 ESTABLISHED src=192.168.0.8 dst=192.168.47.157 sport=57285 dport=80 [UNREPLIED] src=192.168.47.157 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326720 ESTABLISHED src=192.168.0.8 dst=192.168.31.159 sport=57285 dport=80 [UNREPLIED] src=192.168.31.159 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326681 ESTABLISHED src=192.168.0.8 dst=192.168.15.161 sport=57285 dport=80 [UNREPLIED] src=192.168.15.161 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 328089 ESTABLISHED src=192.168.0.8 dst=192.168.255.163 sport=57285 dport=80 [UNREPLIED] src=192.168.255.163 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 327072 ESTABLISHED src=192.168.0.8 dst=192.168.111.150 sport=57285 dport=80 [UNREPLIED] src=192.168.111.150 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326974 ESTABLISHED src=192.168.0.8 dst=192.168.95.152 sport=57285 dport=80 [UNREPLIED] src=192.168.95.152 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326891 ESTABLISHED src=192.168.0.8 dst=192.168.79.154 sport=57285 dport=80 [UNREPLIED] src=192.168.79.154 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326825 ESTABLISHED src=192.168.0.8 dst=192.168.63.156 sport=57285 dport=80 [UNREPLIED] src=192.168.63.156 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326766 ESTABLISHED src=192.168.0.8 dst=192.168.47.158 sport=57285 dport=80 [UNREPLIED] src=192.168.47.158 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326720 ESTABLISHED src=192.168.0.8 dst=192.168.31.160 sport=57285 dport=80 [UNREPLIED] src=192.168.31.160 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326681 ESTABLISHED src=192.168.0.8 dst=192.168.15.162 sport=57285 dport=80 [UNREPLIED] src=192.168.15.162 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 328089 ESTABLISHED src=192.168.0.8 dst=192.168.255.164 sport=57285 dport=80 [UNREPLIED] src=192.168.255.164 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 327072 ESTABLISHED src=192.168.0.8 dst=192.168.111.151 sport=57285 dport=80 [UNREPLIED] src=192.168.111.151 dst=69.219.194.226 sport=80 dport=57285 use=1 tcp 6 326974 ESTABLISHED src=192.168.0.8 dst=192.168.95.153 sport=57285 dport=80 [UNREPLIED] src=192.168.95.153 dst=69.219.194.226 sport=80 dport=57285 use=1 Let me know if you need more info. -C
On Thu, 5 Jun 2003 17:21:11 -0400, Barry, Christopher <cbarry@infiniconsys.com> wrote:> > All, I just recently unsubscribed, so could you reply to me directly as > well please. > > This is the output of shorewall show connections. Does this look like a > port scanner is running on 192.168.0.8? > The output of show connections is huge - 50M. > > Shorewall v1.2.12 > Linux 2.4.18I''d run netstat on 192.168.0.8 -- if it is a Linux box, try "netstat - tnap"; if it''s windoze, then "netstat -anop tcp". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
netstat -tnap shows the only established connections are on the 192.168.0.0/24 network. top and pstree show nothing unusual. any other ideas? Thanks, Chris *please reply-all -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, June 05, 2003 5:31 PM To: Barry, Christopher; Shorewall-Users (E-mail) Subject: Re: [Shorewall-users] Is this output safe/normal? On Thu, 5 Jun 2003 17:21:11 -0400, Barry, Christopher <cbarry@infiniconsys.com> wrote:> > All, I just recently unsubscribed, so could you reply to me directly as > well please. > > This is the output of shorewall show connections. Does this look like a > port scanner is running on 192.168.0.8? > The output of show connections is huge - 50M. > > Shorewall v1.2.12 > Linux 2.4.18I''d run netstat on 192.168.0.8 -- if it is a Linux box, try "netstat - tnap"; if it''s windoze, then "netstat -anop tcp". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 5 Jun 2003 17:38:14 -0400, Barry, Christopher <cbarry@infiniconsys.com> wrote:> > netstat -tnap shows the only established connections are on the > 192.168.0.0/24 network. top and pstree show nothing unusual. any other > ideas? >Nope. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net