Hi Patrick,
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com]
[snip]
My firewall logs and my httpd logs both show that 24.208.133.143 is being accepted and *must* be a virus action. I cannot believe that a person can be *so* unknowing about his computer security. I have
Oh be creative - there are many DAUs out there ;o)
notified security@rr.com twice in the last three days about him. I guess that I will have to start sending them a daily report of each RoadRunner account which attempts violation of my system. Only thing, the total daily reports will be volumous, reflecting negatively upon me
Maybe, but I'd try to contact abuse@rr.com. Check for the e-mail address with "whois 24.208.133.143" ;-)
who is on the wrong end and also a RoadRunner user.
A Windows-User with open VNC-ports, open SMB-ports and some other interesting stuff :o)
What to do, what to do ??
Have a look at "netstat -an|grep 24.208.133.143" and check whether there is still an active connection. Please send the interesting part of your logfile to the list. You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.) If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing. regards, Stefan