On 08/10/02 14:06 -0400, Chris S wrote: > I'm getting a good amount of these DENY's in my logs, but I'm not sure > exactly what they mean. > > Oct 7 19:51:45 furby kernel: Packet log: output DENY eth0 PROTO=6 > 216.178.84.110:80 65.56.237.226:2002 L=48 S=0x00 I=17224 F=0x4000 T=64 (#2) <snip> The SYN bit is not set, so it looks like this is a TCP response. There was an old post about reading ipchains logs. I can't recall which list it was on though (this one/bugtraq/loganalysis/firewall-wizards).
> 216.178.84.110 Is the address binded to my webserver. To me it looks like my > webserver is trying to connect to 65.56.237.226 on port 2002 (the new linux > worm) I could be wrong about this, but im not sure. Or maybe a simple browser expecting a response? > I have these lines for IPChains so i dont know how or if im infected. > Chain input (policy ACCEPT): > target prot opt source destination ports > DENY tcp ----l- anywhere anywhere any -> > 2002 > DENY udp ----l- anywhere anywhere any -> > 2002 > > Chain output (policy ACCEPT): > target prot opt source destination ports > DENY udp ----l- anywhere anywhere any -> > 2002 > DENY tcp ----l- anywhere anywhere any -> > 2002 You aren't looking for connections being initiated from your box, but all connections to port 2002/tcp. I suggest that the tcp rules be modified to look for the initial SYN bit set too, or you upgrade to iptables. You are probably looking at a webserver response to a perfectly normal query. Devdas Bhagat