I am getting syslog messages that look like this:
Oct 20 18:53:36 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=216.52.13.91 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43931 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
I am only getting these messages because I have outbound packets with
destination port 7 blocked. I think I may have been compromised in some
way, just because the packets are outbound. They seem to come in groups of
6 at seemingly random intervals and seem to be focused on the following
addresses:
216.52.13.9[014] and 209.204.62.150
I have a number of questions about how to deal with this issue:
1. How can I find out what program is running to produce this?
2. Is anyone else getting messages like this in their syslog? (You would
need your firewall to block appropriately to see this.)
3. Is there any way that I can get access to those packets and see what
the message is that they are trying to send?
Nothing really bad has happened yet, but I'm getting nervous.
Thanks everyone.
--
-Time flies like the wind. Fruit flies like a banana. Stranger things have -
-happened but none stranger than this. Does your driver's license say Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are all-
-individuals! What if this weren't a hypothetical question? [EMAIL PROTECTED]
