On Friday 10 August 2001 20:12, Ricardo Romero wrote: [snip]
�Aug 10 20:05:59 ricromero kernel: Packet log: rulchain REJECT eth0 �PROTO=6 200.207.153.166:4215 MY_IP_ADDRESS:80 L=48 S=0x00 I=29432 �F=0x4000 T=121 SYN (#5)
[snip] Hi, REJECT -> which rule set was used eth0 -> which interface the request arrived on PROTO=6 -> what protocol (TCP - see /etc/protocols for more) 200.207.153.166:4215 -> IP address of origination of request, their port 4215 MY_IP_ADDRESS:80 -> request sent to your port 80 (http) � � �see /etc/services for more L=48 -> length of packet, in octets S=0x00 -> packet is fragmentable, but not a fragment I=29432 -> IP identifier, for reassembling fragmented packets F=0x4000 -> fragment offset, also for reassembling fragmented packets T=121 -> time to live for packet, in seconds (#5) -> which reject rule was applied Probably a Code Red infected Win 2K/NT IIS system looking for new victims. You really have to wonder what the IIS admins have been doing. John