[A bit OT] Whats up with these IPTables logs..?

Daniel Nyström dny at pcm.se
Thu Apr 8 09:14:13 UTC 2004 

Hello!

On my RedHat 9.0/Shorewall firewall, I get the following logs.

eth2 -> The internet (x.x.x.x)
eth0 -> The internal network GW (MS ISA Server) (10.0.1.2)

Apr  8 11:10:54 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=68.10.206.201 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=940 DF PROTO=TCP SPT=49046 DPT=6895 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:54 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=35.8.27.47 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=941 DF PROTO=TCP SPT=32198 DPT=8633 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=68.54.201.208 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=954 DF PROTO=TCP SPT=49098 DPT=47188 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=80.160.91.25 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=955 DF PROTO=TCP SPT=35972 DPT=33033 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=81.240.149.178 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=961 DF PROTO=TCP SPT=49052 DPT=54409 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=130.179.201.131 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=962 DF PROTO=TCP SPT=28209 DPT=8023 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=67.69.110.228 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=968 DF PROTO=TCP SPT=34626 DPT=23194 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=66.69.107.163 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=970 DF PROTO=TCP SPT=49530 DPT=40158 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=24.99.112.6 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=972 DF PROTO=TCP SPT=49100 DPT=35042 WINDOW=65535 RES=0x00 SYN URGP=0
Apr  8 11:10:55 zeus kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=eth2 SRC=10.0.1.2 DST=24.201.219.22 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=973 DF PROTO=TCP SPT=23879 DPT=53953 WINDOW=65535 RES=0x00 SYN URGP=0

As you can see, not much time passes before each denied package and this continues all day long. It seems to be 20 or more specific IP adresses that the conenctions go to everytime, sometimes on varying ports.

I started sending enquiries to the IP owners abuse@ adress, but it's not really something that is feasible in the long run.

Is this a bad case of SpyWare? Or should I be worried?



	//Daniel Nyström, Network Administrator, dny at pcm.se

More information about the redhat-list mailing list