What about using /etc/hosts.deny? You should add "service : address"
Patrick Shanahan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...]
I do not think, although I cannot understand, that RoadRunner is *interested*. I have reported this particular site, 24.208.133.143, twice in the last 3 days, Tuesday and Wednesday. I intend to report it again today and bang on the chat-help although I have *no* faith that anyone on the other end will understand what I am talking about. They keep asking me if it is *spam* . -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com --------------------------------- Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!