Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Bombarded, irdms 8000
nobby355
post Mar 22 2004, 08:00 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 22-March 04
Member No.: 2,630



Help

I have a system running SuSE 8

I am getting bombarded by all sorts of traffic from all over the world, mostly porn, through port 8000. Because I use this system to connect remote sites, using cipe, I need to have the flexibility of keeping this port open especially with the connections to other manufacturers systems. Here is a dump using tcpdump on cipcb0;
13:14:49.947294 172.16.7.250.brvread > 10.48.29.1.domain: 18346+ PTR? 96.108.17
.216.in-addr.arpa. (44) (DF) [tos 0x10]
13:14:50.135735 172.16.7.250.cap > 10.48.29.1.domain: 1884+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:14:50.642121 10.48.29.1.domain > 172.16.7.250.brvread: 18346* 1/3/3 PTR[|domain]
13:14:50.681149 10.48.29.1.domain > 172.16.7.250.cap: 1884 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:14:54.221404 172.16.7.250.cap > 10.48.29.1.domain: 1885+ A? m2.doubleclick.net. (36) (DF) [tos 0x10]
13:14:54.824094 10.48.29.1.domain > 172.16.7.250.cap: 1885 3/0/0 CNAME[|domain]
13:14:55.991259 172.16.7.250.brvread > 10.48.29.1.domain: 18347+ PTR? 19.112.208.217.in-addr.arpa. (45) (DF) [tos 0x10]
13:14:56.504446 172.16.7.250.cap > 10.48.29.1.domain: 1886+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:14:56.798178 10.48.29.1.domain > 172.16.7.250.cap: 1886 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:14:56.834076 10.48.29.1.domain > 172.16.7.250.brvread: 18347* 1/2/2 PTR[|domain]
13:14:58.685292 172.16.7.250.cap > 10.48.29.1.domain: 1887+ A? l6.login.scd.yahoo.com. (40) (DF) [tos 0x10]
13:14:59.341921 10.48.29.1.domain > 172.16.7.250.cap: 1887* 1/5/5 A 66.218.74.91 (226)
13:14:59.375647 172.16.7.250.cap > 10.48.29.1.domain: 1888+ A? www.centerfoldparadise.com. (44) (DF) [tos 0x10]
13:15:00.223759 10.48.29.1.domain > 172.16.7.250.cap: 1888* 1/1/1 A 216.66.18.191 (104)
13:15:00.244433 172.16.7.250.brvread > 10.48.29.1.domain: 18348+ PTR? 191.18.66.216.in-addr.arpa. (44) (DF) [tos 0x10]
13:15:01.117090 10.48.29.1.domain > 172.16.7.250.brvread: 18348* 1/3/3 PTR[|domain]
13:15:01.118450 172.16.7.250.cap > 10.48.29.1.domain: 1889+ A? ad.linksynergy.com. (36) (DF) [tos 0x10]
13:15:03.899364 172.16.7.250.cap > 10.48.29.1.domain: 1890+ A? www.awin1.com. (31) (DF) [tos 0x10]
13:15:04.802398 172.16.7.250.cap > 10.48.29.1.domain: 1891+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:15:05.380718 10.48.29.1.domain > 172.16.7.250.cap: 1891 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:15:08.528393 172.16.7.250.cap > 10.48.29.1.domain: 1892+ A? lawcrawler.com. (32) (DF) [tos 0x10]
13:15:08.738333 172.16.7.250.cap > 10.48.29.1.domain: 1893+ A? m2.doubleclick.net. (36) (DF) [tos 0x10]
13:15:09.150515 10.48.29.1.domain > 172.16.7.250.cap: 1893 3/0/0 CNAME[|domain]
13:15:09.274673 10.48.29.1.domain > 172.16.7.250.cap: 1892* 1/2/2 A 66.35.204.10 (129)
13:15:11.540087 172.16.7.250.cap > 10.48.29.1.domain: 1894+ A? www.katesplayground.com. (41) (DF) [tos 0x10]
13:15:11.671627 10.48.29.1.domain > 172.16.7.250.cap: 1894 1/0/0 A 66.197.127.140 (57)
13:15:12.071078 172.16.7.250.cap > 10.48.29.1.domain: 1895+ A? www.fh555.com. (31) (DF) [tos 0x10]
13:15:12.706632 10.48.29.1.domain > 172.16.7.250.cap: 1895 1/0/0 A 218.106.83.7 (47)
13:15:16.636925 172.16.7.250.cap > 10.48.29.1.domain: 1896+ A? l16.login.dcn.yahoo.com. (41) (DF) [tos 0x10]
13:15:16.816949 172.16.7.250.cap > 10.48.29.1.domain: 1897+ A? ad.linksynergy.com. (36) (DF) [tos 0x10]
13:15:16.996986 172.16.7.250.cap > 10.48.29.1.domain: 1898+ A? l16.login.dcn.yahoo.com. (41) (DF) [tos 0x10]
13:15:17.128594 10.48.29.1.domain > 172.16.7.250.cap: 1897 4/0/0 A 63.123.248.7, A 63.123.248.8[|domain]
13:15:17.977996 172.16.7.250.brvread > 10.48.29.1.domain: 18349+ PTR? 82.79.208.217.in-addr.arpa. (44) (DF) [tos 0x10]
13:15:18.232604 10.48.29.1.domain > 172.16.7.250.cap: 1896* 1/5/5 A 216.109.127.47 (227)
13:15:22.924926 172.16.7.250.cap > 10.48.29.1.domain: 1899+ A? www.legfreak.com. (34) (DF) [tos 0x10]
13:15:26.533908 172.16.7.250.cap > 10.48.29.1.domain: 1900+ A? www.all2men.com. (33) (DF) [tos 0x10]
13:15:26.833249 10.48.29.1.domain > 172.16.7.250.cap: 1900 1/0/0 A 211.94.204.42 (49)
13:15:28.291827 172.16.7.250.cap > 10.48.29.1.domain: 1901+ A? www.outwar.com. (32) (DF) [tos 0x10]
13:15:28.825572 172.16.7.250.cap > 10.48.29.1.domain: 1902+ A? www.sciencedirect.com. (39) (DF) [tos 0x10]
13:15:28.942481 10.48.29.1.domain > 172.16.7.250.cap: 1901 1/0/0 A 216.22.4.47 (48)
13:15:29.200763 172.16.7.250.cap > 10.48.29.1.domain: 1903+ A? www.realgalleries.com. (39) (DF) [tos 0x10]
13:15:29.431279 10.48.29.1.domain > 172.16.7.250.cap: 1902 2/0/0 CNAME sciencedirect.com., A[|domain]
Can anyone help please?
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 22 2004, 09:12 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I'm not positive ... but it looks to me like 10.48.29.1 is a DNS server and the computer 172.16.7.250 is doing name lookups on it (10.48.29.1) through your tunnel.

It doesn't look like the traffic is originating from an external source to me....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 17th October 2017 - 01:50 PM