[Dshield] RE: Log ID and Template question...

Ryan J Betz ryanb at maumeepattern.com
Mon Jul 23 16:30:08 GMT 2001


It looks like people are trying to connect to your machine thinking it's an
IRC server.  I suppose if you have a dynamic IP address, and the previous
owner was running an IRC server on his machine at the time, you could be
getting leftovers.  Another possiblity is someone has compromised your
machine and installed an IRC daemon and told all thier friends, but I think
this is less likely, and hope for your sake this isn't the case.  Best bet
to make sure that didn't happen is to use nmap and scan yourself to see if
anything is open that's not supposed to be.  Hope this helps!

Ryan


Does anyone recognize what these ip's are trying to do w/ my server?

Jul 22 09:04:44 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
129.250.240.197:6667 206.126.3.14:62539 L=40 S=0x00 I=19378 F=0x4000 T=54
Jul 22 09:27:35 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
194.47.161.38:6667 206.126.3.14:62711 L=40 S=0x00 I=19059 F=0x4000 T=37
Jul 22 09:12:33 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
195.159.0.91:6667 206.126.3.14:62623 L=40 S=0x00 I=22974 F=0x4000 T=43
Jul 22 09:21:51 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
207.96.122.252:6667 206.126.3.14:62640 L=44 S=0x00 I=65459 F=0x4000 T=43
Jul 22 09:03:13 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
209.116.7.98:6667 206.126.3.14:62537 L=40 S=0x00 I=20764 F=0x4000 T=48
Jul 22 09:37:25 pohakea kernel: Packet log: input REJECT eth0 PROTO=6
65.161.40.142:6667 206.126.3.14:62726 L=48 S=0x00 I=0 F=0x4000 T=45

I'm not involved w/IRC clients or servers so don't know what's causing this
traffic?

I'm getting fed up w/ the dozen or so IP's that continue this barrage....

Does anyone know of any abuse templates I could tweak to forward
to the RP's involved?

Thanks






More information about the list mailing list