[lug] phantom irc traffic
Gordon Golding
gordongoldin at aim.com
Thu Nov 20 16:16:28 MST 2008
Somebody noticed a very regular pattern of IRC traffic from our webserver.
Every 3 minutes a handshake.
What could cause this?
We got kooties?
Can’t seem to figure out what process is doing this.
Also, we see a ESTABLISHED connection to irc.rcn.com
Can’t figure out what process is holding that connection.
How can I figure out what process is holding that irc.rcn.com
that I see in netstat?
Any thoughts?
IP 195.197.175.21 is irc2.saunalahti.fi
We have grad students and researchers from all over the
world, so I’m not immediately panicked at the foreign address.
Here are some flowscan logs for the IRC traffic.
11/20 00:05:05
195.197.175.21 128.138.225.63 6
0 6667 49439 2
139
11/20 00:05:05
128.138.225.63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:08:05
195.197.175.21
128.138.225.63 6 0 6667
49439 2 139
11/20 00:08:05
128.138.225.63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:11:05 195.197.175.21 128.138.225.63 6 0 6667 49439
2 139
11/20 00:11:05
128.138.225.
63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:14:05
128.138.225.63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:14:05
195.197.175.21
128.138.225.63 6 0 6667
49439 2 139
11/20 00:15:28
128.138.225.63
195.197.175.21 6 0 49439
6667 2 104
11/20 00:15:28
195.197.175.21
128.138.225.63 6 0 6667
49439 2 379
11/20 00:17:05
195.197.175.21
128.138.225.63 6 0 6667
49439 2 139
11/20 00:17:05
128.138.225.63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:20:05
128.138.225.63
195.197.175.21 6 0 49439
6667 2 138
11/20 00:20:05
195.197.175.21
128.138.225.63 6 0 6667
49439 2 139
11/20 00:23:10
128.138.225.63
195.197.175.21 6 0 49439
6667 3 190
11/20 00:23:10
195.197.175.21
128.138.225.63 6 0 6667
49439 3 328
Gordon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20081120/8184829b/attachment.html>
More information about the LUG
mailing list