[wplug] strange messages.
Alexandros Papadopoulos
apapadop at cmu.edu
Mon Sep 30 14:39:01 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 30 September 2002 13:39, harrold at sage.che.pitt.edu wrote:
> hey.
>
> one of our computers is having some issues. its been getting really slow
> with really high loads. from top it appears as though there is enough free
> ram/cpu, and that there shouldn't be any reason to have a load of 10+. i
> was poking around in the logs and i found a lot of the following:
>
>
> Sep 29 04:08:55 computername kernel: IN=eth0 OUT=eth0 SRC=136.142.89.250
> DST=61.218.206.18 LEN=257 TOS=0x00 PREC=0x00 TTL=63 ID=53115 PROTO=UDP
> SPT=137 DPT=1025 LEN=237 Sep 30 11:53:29 computername kernel: IN=eth0
> OUT=eth0 SRC=136.142.89.250 DST=218.16.125.85 LEN=48 TOS=0x00 PREC=0x00
> TTL=63 ID=7854 DF PROTO=TCP SPT=4647 DPT=80 WINDOW=6432 RES=0x00 SYN URGP=0
>
>
> they all seem to be originating from the same computer: 136.142.89.250 but
> with different destinations. i believe this is output from iptables, which
> is running on this computer to do nat for the lab.
>
> can someone tell me what these mean?
The first one is a UDP packet to your 1025 port. Postings in newsgroups
suggest that it's quite innocent, but I don't know for sure.
The second one is a TCP packet to port 80, most likely a HTTP request. If
you're running Apache check its logs for more information on the nature of
the HTTP requests (perhaps you're being targeted by Nimda-like worms).
Hope this helps
- -A
- --
http://www.andrew.cmu.edu/~apapadop/pub_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9mJpG/Fud6lI1bCIRAuASAJ0cyZwd7gtoplNTgOXBec9tLyPznACeK0OR
tODvr41GY6hNs4RnY46BSiY=
=SeOI
-----END PGP SIGNATURE-----
More information about the wplug
mailing list